کد:
http://www.windowsecurity.com/articles/Using-Group-Policy-Filtering-Part4.html
PART-4
In the first three articles in this series on how to configure a NAP DHCP Enforcement policy, we went over the basics of NAP and then created a DHCP Enforcement policy on the NPS server that hosts the NAP policies. In this, part 4 and the final article in the series, we’ll finish up the configuration by settings up the DHCP server to work with the NPS server and the NAP policies, and then configure Group Policy so that NAP policy and NAP components are automatically configured for any machine that belongs to the NAP computers security group in Active Directory. At the end, we’ll finish up by testing the solution to see if it actually works.
Configure the DHCP Server
Now that we have the NAP policies set up with the help of the NAP wizard, we can move our attention to configuration of the DHCP server. Remember, the DHCP server is the network access server in a DHCP NAP scenario, and so we need to configure the DHCP server to communicate with the NAP components in order to work.
Open the DHCP console from the
Administrative Tools menu. In the DHCP console, expand the server name, then expand the
IPv4 node, and then expand the
Scope node. Click on the
Scope Options node
. Right click on an empty area in the right pane as seen in the figure below, and click the
Configure Options command.
Figure 1
In the
Scope Options dialog box, click on the
Advanced tab. In the
Vendor class drop down box, make sure that it says
DHCP Standard Options. In the
User class drop down list box, make sure that you select the
Default Network Access Protection Class entry. The DHCP option that we’re going to configure here will be applied to clients to identify themselves as NAP clients that are non-compliant.
In the list of
Available Options, find the
006 DNS Servers entry and put in the IP address of the DNS server in the
IP address text box and then click
Add.
Figure 2
Find the
015 DNS Domain Name option and enter in the
String value text box a name that will be used by non-compliant NAP clients. This will allow you to easily identify non-compliant computers. Click
OK.
Figure 3
You will now see entries for both the
None and the
Default Network Access Protection Class. The latter class options will be assigned to non-compliant computers when DHCP enforcement is used with NAP.
Figure 4
But before NAP can use these settings, we need to configure the scope to work with NAP. Click on the
Scope node under the
IPv4 node in the left pane of the console and then right click it. In the
Scope Properties dialog box, click the
Network Access Protection tab. Select the
Enable for this scope option and then select the
Use default Network Acce3ss Protection profile option.
The
Use custom profile option looks interesting, but there is no documentation on the Internet, including the
www.microsoft.com Web site, that provides any information on how this option might be used. I’ll blog about this in the future if I figure out how to make this work.
Click
OK in the
Scope Properties dialog box.
Figure 5
Configure NAP Settings in Group Policy
While we can manually configure NAP on each machine that will participate in our NAP security framework, manual configuration is not very scalable. To solve this problem, Microsoft has included the necessary Group Policy extensions required to make NAP configurable from Group Policy.
There are three things we need to do in Group Policy to centralize the configuration:
- Enable the NAP Agent on the machines participating in NAP
- Configure the NAP Enforcement Agent (in this case, it will be the DHCP NAP Enforcement Agent)
- Configure the Group Policy Object to apply only to machines that belong to the security group containing the machines that will participate in NAP network access controls.
Before performing the following steps, you need to create a Group Policy Object named
NAP Client Settings. This can be done in the Group Policy Management Console. If you don’t know how to do this, check the Help in the Group Policy Management console, as it’s quite easy. Make sure that the Group Policy Object is in the domain that your computers are in.
Enable the NAP Agent
After you create the
NAP Client Settings Group Policy Object, open that GPO in the
Group Policy Management Editor. You can do that by right clicking on the GPO in the Group Policy Management Console and then clicking the
Edit command.
In the
Group Policy Management Editor, expand the
Computer Configuration node and then expand the
Policies node. Expand the
Windows Settings node and then click the
System Services node.
In the
System Services node, you’ll see an entry in the right pane for
Network Access Protection Agent. Double click on that entry. In the
Network Access Protection Agent Properties dialog box, put a checkmark in the
Define this policy setting checkbox and then select the
Automatic option. Click
OK.
These steps enable the NAP agent on co9mputers where this GPO is enforced. The NAP Agent has to be enabled in order for NAP processing to work correctly.
Figure 6
Enable the DHCP Enforcement Client
The next step is to enable the DHCP Enforcement Client on the NAP enabled computers. In the Group Policy Management editor, expand the
Computer Configuration, expand the
Windows Settings node, and then expand the
Network Access Protection node. Expand the
NAP Client Configuration node and then click on the
Enforcement Clients node.
When on the
Enforcement Clients node, the right pane of the console will show the various enforcement clients available for NAP. You can enable one or more enforcement methods; you are not limited to a single enforcement client. In this example we are using only DHCP enforcement, so right click on the
DHCP Quarantine Enforcement Client entry and click
Enable, as seen in the figure below.
Figure 7
Click on the
NAP Client Configuration node in the left pane of the console as seen in the figure below. Right click on the
NAP Client Configuration node and then click
Apply. This applies the Enforcement Client settings into Group Policy.
I have found that there times when the Enforcement Client settings do not “take”. This has lead to a confusing and time consuming troubleshooting exercise for me in the past. What you might want to do is after you apply the Enforcement Client settings is to close the Group Policy Management Console and the Group Policy Management Editor and then open them again and check the Enforcement Client Settings. If you find that the Enforcement Client Settings are not enabled, then enable them again. Usually after the second attempt they will keep.
Figure 8
Use Group Policy Security Filtering to Apply the GPO to the NAP Enforced Computers Security Group
Our final step in Group Policy is to apply the GPO settings in the
NAP Client Settings GPO to the computers that belong to the
NAP Enforced Computers security group that we created earlier. Open the
Group Policy Management console and then expand the forest name and then expand the domains node. Then expand your domain name and click on the
NAP Client Settings GPO.
In the right pane of the console you’ll see a section named
Security Filtering. You can use this feature to apply the Group Policy settings in this GPO to the security group we created for the NAP client computers.
In the
Security Filtering section, click on the
Authenticated Users entry and click the
Remove button.
Figure 9
You will see a
Group Policy Management dialog box asking if
Do you want to remove this delegation privilege? Click
OK.
Figure 10
Now click the
Add button. This will bring up the
Select User, Computer or Group dialog box. Enter
NAP Enforced Computers in the
Enter the object name to select text box, and click
Check Names to confirm that the group can be found. Then click
OK.
Figure 11
You will now see in the
Security Filtering section the security group that the NAP enabled computers will be placed in.
Figure 12
Enter the Vista Computer into the NAP Enforced Computers Security Group
With the Group Policy settings in place, we are ready to put our Vista client computer into the
NAP Enforced Computers security group. Open the
Active Directory Users and Computers console and click the
Users node in the left pane of the console.
Double click on the
NAP Enforce Computers entry. This brings up the
NAP Enforced Computers Properties dialog box. Click the
Members tab and then click the
Add button.
In the
Select Users, Contacts, Computers or Groups dialog box, enter the name of the computer that will participate in NAP enforcement. In this example, we have a domain member computer named
VISTA2 and we’ll enter that into the
Enter the object names to select text box.
Figure 13
If the machine that you want to participate in the NAP enforcement group hasn’t yet joined the domain, you can instead create the computer account in the Active Directory by using the Add Computer option in the Active Directory Users and Computers console. You can then later join this machine to the domain. In the example network that we’re using in this article, the VISTA2 computer is already a domain member.
At this point you might want to consider running the
gpupdate /force command on the domain controller. Also, if your NAP enforced computers are already joined to the domain, you might want to restart those computers so that the new Group Policy settings are applied.
The most problematic area in the NAP solution are the Group Policy timings. In a production network you’ll have plenty of time to wait for Group Policy propagation, but in a lab environment we tend to get impatient and want things to work right away. If you find that the settings aren’t being applied to the client, then be patient. Restart the client a couple of times or run the
gpupdate /force command on the client. If NAP still isn’t working, then recheck all of your settings in the NAP configuration and also in Group Policy. There are a lot of “moving parts” and it’s easy to miss a step.
Now let’s see the NAP solution in action.
Test the Solution
Remember that when you’re using DHCP enforcement, the clients must be using DHCP to obtain IP addressing information. When you open a command prompt and run the
ipconfigcommand, you will IP addressing information for the DHCP client. In the figure below, you can see that the this client is not NAP compliant, as it received the domain name
restricted.msfirewall.org, which is a DHCP option we created for non-compliant NAP clients.
Figure 14
At the command prompt, run the
Route Print command. Notice the routes to the DHCP server and the domain controller. Notice that there are no other routing interfaces to the on subnet network ID. This means that this NAP client will be able to reach the DHCP server and the domain controller, but no other machines on the network. This machine is locked down because the routing table entries prevent access to any other IP addresses except those we’ve configured in NAP (remember that the domain controller is in the remediation group, and the DHCP is automatically allowed since it is the network access server that controls the level of network access).
Figure 15
These findings are what you would see if the machine were not joined to the domain or if the NAP settings aren’t being applied to the client.
Now let’s see what things look like when the NAP settings are applied.
Run the
ipconfig command again and you’ll see that you get the non-restricted domain name assigned to the client.
Figure 16
Run the
Route Print command. Here you’ll see that we have a default gateway configured. In addition, we now have a routing interface to the on subnet network ID. The special routing interfaces to the DHCP server and the domain controller have been removed.
Figure 17
Let’s test the auto-remediation feature. Recall that we enabled auto-remediation in the Windows Security SHV. This allows the NAP Agent to try and fix security problems that might crop up on the NAP client. For example, if the firewall is disabled on the NAP client, the NAP Agent can turn the firewall back on.
In the figure below, you can see that I’ve turned off the Windows Firewall on the Vista client. Try this on your own Vista client.
Figure 18
Wait a few second. Bam! You’ll see that the state of the Windows firewall automatically changes to being on again without any intervention on your part.
Figure 19
Note that you didn’t see anything in the system tray for this. If you want to see a system tray notification, then you’ll need to configure things so that the NAP Agent will not be able to auto-remediate. If you go back to the Windows SHV on the NPS server, you can change it so that an AV program is required. If there is no AV program on the client, then you’ll see a system tray notification balloon regarding the security configuration of the computer does not meet network requirements. If you click the balloon, you’ll see a dialog box like that in the figure below.
Figure 20
Summary
In this, the last part of our four part series on using DHCP enforcement with NAP, we went over the DHCP server configuration and then set things up in Group Policy to automate policy deployment. We then finished up by testing the solution and confirming the NAP DHCP policy enforcement actually worked. And it did! In the future I’ll do more articles NAP configuration using different enforcement methods. Then we’ll take a closer look at more sophisticated options, such as using multiple NAP and DHCP servers (or enforcement servers). See you then! –Tom