8/13/2019 NAP_DHCP

1/32

Step By Step Guide: Demonstrate DHCP NAPEnforcement in a Test Lab

Microsoft Corporation

Published: February 2008

Abstract

Network Access Protection (NAP is a new policy enforce!ent technolo"y in the #indows $ista%

and #indows &er'er% 2008 and #indows P with &er'ice Pack ) operatin" syste!s* (NAP can

also be deployed on co!puters runnin" #indows &er'er 2008 +2, #indows -, #indows &er'er20.2, and #indows 8* NAP pro'ides co!ponents and an application pro"ra!!in" interface

(AP/ set that help ad!inistrators enforce co!pliance with health reuire!ents for network

access and co!!unication* 1his paper contains an introduction to NAP and instructions for

settin" up a test lab to deploy NAP with the 3CP enforce!ent !ethod*

8/13/2019 NAP_DHCP

2/32

Copyrigt !nformation

1his docu!ent is pro'ided for infor!ational purposes only and Microsoft !akes no warranties,

either e4press or i!plied, in this docu!ent* /nfor!ation in this docu!ent, includin" 5+6 and other

/nternet #eb site references, is sub7ect to chan"e without notice* 1he entire risk of the use or the

results fro! the use of this docu!ent re!ains with the user* 5nless otherwise noted, the e4a!ple

co!panies, or"aniations, products, do!ain na!es, e9!ail addresses, lo"os, people, places, and

e'ents depicted herein are fictitious, and no association with any real co!pany, or"aniation,

product, do!ain na!e, e9!ail address, lo"o, person, place, or e'ent is intended or should be

inferred* Co!plyin" with all applicable copyri"ht laws is the responsibility of the user* #ithout

li!itin" the ri"hts under copyri"ht, no part of this docu!ent !ay be reproduced, stored in or

introduced into a retrie'al syste!, or trans!itted in any for! or by any !eans (electronic,

!echanical, photocopyin", recordin", or otherwise, or for any purpose, without the e4press

written per!ission of Microsoft Corporation*

Microsoft !ay ha'e patents, patent applications, trade!arks, copyri"hts, or other intellectual

property ri"hts co'erin" sub7ect !atter in this docu!ent* 4cept as e4pressly pro'ided in any

written license a"ree!ent fro! Microsoft, the furnishin" of this docu!ent does not "i'e you any

license to these patents, trade!arks, copyri"hts, or other intellectual property*

; 2008 Microsoft Corporation* All ri"hts reser'ed*

Microsoft, M&9

8/13/2019 NAP_DHCP

3/32

Contents

&tep >y &tep ?uide: e!onstrate 3CP NAP nforce!ent in a 1est 6ab******************************** ****.

Abstract************************************************************************************************************************************ .

Copyri"ht /nfor!ation**********************************************************************************************************************2

Contents******************************************************************************************************************************************)

&tep9by9&tep ?uide: e!onstrate 3CP NAP nforce!ent in a 1est 6ab*********************************** *@

/n this "uide******************************************************************************************************************************** * @

&cenario o'er'iew***********************************************************************************************************************

NAP enforce!ent processes****************************************************************************************************

Policy 'alidation********************************************************************************************************************

NAP enforce!ent and network restriction*****************************************************************************

+e!ediation************************************************************************************************************************** -

8/13/2019 NAP_DHCP

4/32

Confi"ure NAP client settin"s in ?roup Policy************************************************************************20

Confi"ure security filters for the NAP client settin"s ?P

8/13/2019 NAP_DHCP

5/32

Step"by"Step Guide: Demonstrate DHCP NAP

Enforcement in a Test LabNetwork Access Protection (NAP is a new technolo"y introduced in #indows $ista% and

#indows &er'er% 2008* (NAP can also be deployed on co!puters runnin" #indows

&er'er 2008 +2 and #indows -* NAP includes client and ser'er co!ponents that allow you to

create and enforce health reuire!ent policies that define the reuired software and syste!

confi"urations for co!puters that connect to your network* NAP enforces health reuire!ents by

inspectin" and assessin" the health of client co!puters, li!itin" network access when client

co!puters are dee!ed nonco!pliant, and re!ediatin" nonco!pliant client co!puters for

unrestricted network access* NAP enforces health reuire!ents on client co!puters that are

atte!ptin" to connect to a network* NAP also pro'ides on"oin" health co!pliance enforce!ent

while a co!pliant client co!puter is connected to a network*

/n addition, NAP pro'ides an application pro"ra!!in" interface (AP/ set that allows non9

Microsoft software 'endors to inte"rate their solutions into the NAP fra!ework*

NAP enforce!ent occurs at the !o!ent when client co!puters atte!pt to access the network

throu"h network access ser'ers, such as a $PN ser'er runnin" +outin" and +e!ote Access, or

when clients atte!pt to co!!unicate with other network resources* 1he way that NAP is

enforced depends on the enforce!ent !ethod you choose*

NAP enforces health reuire!ents for the followin":

/nternet Protocol security (/Psec9protected co!!unications

/nstitute of lectrical and lectronics n"ineers (/ 802*.9authenticated connections

$irtual pri'ate network ($PN connections yna!ic 3ost Confi"uration Protocol (3CP confi"uration

1er!inal &er'ices ?ateway (1& ?ateway

1he step9by9step instructions in this paper will show you how to deploy a NAP 3CP

enforce!ent test lab so that you can better understand how 3CP enforce!ent works*

!n tis guide1his paper contains an introduction to NAP and instructions for settin" up a test lab and deployin"

NAP with the 3CP enforce!ent !ethod usin" two ser'er co!puters and one client co!puter*

1he test lab lets you create and enforce client health reuire!ents usin" NAP and 3CP*

1he followin" instructions are for confi"urin" a test lab usin" the !ini!u! nu!ber of

co!puters* /ndi'idual co!puters are needed to separate the ser'ices pro'ided on the

network and to clearly show the desired functionality* 1his confi"uration is neither

desi"ned to reflect best practices nor does it reflect a desired or reco!!ended

confi"uration for a production network* 1he confi"uration, includin" /P addresses and all

other confi"uration para!eters, is desi"ned only to work on a separate test lab network*

!mportant

5

8/13/2019 NAP_DHCP

6/32

Scenario o#er#ie$/n this test lab, NAP enforce!ent for 3CP network access control is deployed with a ser'er

runnin" #indows &er'er 2008 or #indows &er'er 2008 +2 that has 3CP and the Network

Policy &er'er (NP& ser'ice installed, and a client co!puter runnin" #indows $ista or #indows -

with the NAP a"ent ser'ice runnin" and 3CP enforce!ent client co!ponent enabled* A

co!puter runnin" #indows &er'er% 200) is also used in the test lab as a do!ain controller and

N& ser'er* 1he test lab will de!onstrate how NAP9capable client co!puters are pro'ided

network access based on their co!pliance with network health reuire!ents*

NAP enforcement processes

&e'eral processes are reuired for NAP to function properly: policy 'alidation, NAP enforce!ent

and network restriction, re!ediation, and on"oin" !onitorin" to ensure co!pliance*

Po%icy #a%idation

&yste! health 'alidators (&3$s are used by NP& to analye the health status of client

co!puters* &3$s are incorporated into network polices that deter!ine actions to be taken based

on client health status, such as the "rantin" of full network access or the restrictin" of network

access* 3ealth status is !onitored by client9side NAP co!ponents called syste! health a"ents

(&3As* NAP uses &3As and &3$s to !onitor, enforce, and re!ediate client co!puter

confi"urations*

#indows &ecurity 3ealth A"ent (#&3A and #indows &ecurity 3ealth $alidator (#&3$ are

included with the #indows $ista, #indows &er'er 2008, #indows -, and #indows

&er'er 2008 +2 operatin" syste!s, and enforce the followin" settin"s for NAP9capable

co!puters:

1he client co!puter has firewall software installed and enabled* 1he client co!puter has anti'irus software installed and runnin"*

1he client co!puter has current anti'irus updates installed*

1he client co!puter has antispyware software installed and runnin"*

1he client co!puter has current antispyware updates installed*

Microsoft 5pdate &er'ices is enabled on the client co!puter*

/n addition, if NAP9capable client co!puters are runnin" #indows 5pdate A"ent, NAP can 'erify

that the !ost recent software security updates are installed based on one of four possible 'alues

that !atch security se'erity ratin"s fro! the Microsoft &ecurity +esponse Center (M&+C*

1his test lab will use the #&3A and #&3$ to reuire that client co!puters ha'e turned on

#indows Firewall, and ha'e an anti'irus application installed*

NAP enforcement and net$or& restriction

NAP enforce!ent settin"s allow you to li!it network access of nonco!pliant clients to a restricted

network, to defer restriction to a later date, or to !erely obser'e and lo" the health status of NAP9

capable client co!puters* 1he followin" settin"s are a'ailable:

6

8/13/2019 NAP_DHCP

7/32

A%%o$ fu%% net$or& access* 1his is the default settin"* Clients that !atch the policy

conditions are dee!ed co!pliant with network health reuire!ents, and are "ranted

unrestricted access to the network if the connection reuest is authenticated and authoried*

1he health co!pliance status of NAP9capable client co!puters is lo""ed*

A%%o$ %imited access* Client co!puters that !atch the policy conditions are dee!ed

nonco!pliant with network health reuire!ents, and are placed on the restricted network*

A%%o$ fu%% net$or& access for a %imited time* Clients that !atch the policy conditions

are te!porarily "ranted full network access* NAP enforce!ent is delayed until the specified

date and ti!e*

Eou will create two network policies in this test lab* A co!pliant policy will "rant full network

access to an intranet network se"!ent* A nonco!pliant policy will de!onstrate network restriction

by issuin" a 1CP=/P confi"uration to the client co!puter that places it on a restricted network*

'emediation

Nonco!pliant client co!puters that are placed on a restricted network !i"ht under"o

re!ediation* +e!ediation is the process of updatin" a client co!puter so that it !eets current

health reuire!ents* /f additional resources are reuired for a nonco!pliant co!puter to update

its health state, these resources !ust be pro'ided on the restricted network* For e4a!ple, a

restricted network !i"ht contain a File 1ransfer Protocol (F1P ser'er that pro'ides current 'irus

si"natures so that nonco!pliant client co!puters can update their outdated si"natures*

Eou can use NAP settin"s in NP& network policies to confi"ure auto!atic re!ediation so that

NAP client co!ponents auto!atically atte!pt to update the client co!puter when it is

nonco!pliant*

1his test lab includes a de!onstration of auto!atic re!ediation* 1he Enab%e auto"remediation

of c%ient computerssettin" will be enabled in the nonco!pliant network policy, which will cause

#indows Firewall to be turned on without user inter'ention*

(ngoing monitoring to ensure comp%iance

NAP can enforce health co!pliance on co!pliant client co!puters that are already connected to

the network* 1his functionality is useful for ensurin" that a network is protected on an on"oin"

basis as health policies and the health of client co!puters chan"e* Client co!puters are

!onitored when their health state chan"es, and when they initiate reuests for network

resources* 1his test lab includes a de!onstration of on"oin" !onitorin" when the clients 3CP9

issued address is renewed* 1he NAP client co!puter sends a state!ent of health (&o3 with the

3CP address reuest, and is "ranted full or restricted access based on its current health state*

DHCP NAP enforcement o#er#ie$1he test en'iron!ent described in this "uide includes a do!ain controller runnin" #indows

&er'er 200), a !e!ber ser'er runnin" #indows &er'er 2008 or #indows &er'er 2008 +2, and a

client co!puter runnin" #indows $ista or #indows -* 1he do!ain controller, !e!ber ser'er, and

the client co!puter co!pose a pri'ate intranet and are connected throu"h a co!!on hub or

layer 2 switch* Pri'ate addresses are used throu"hout the test lab confi"uration* 1he pri'ate

7

8/13/2019 NAP_DHCP

8/32

network / .B2*.8*0*0=2D is used for the intranet* 1he do!ain controller is na!ed C. and is

the pri!ary do!ain controller for the do!ain na!ed Contoso*co!* 1he !e!ber ser'er is na!ed

NP&. and is confi"ured as a 3CP ser'er and a network policy ser'er* 1he client is na!ed

C6/N1. and is confi"ured for auto!atic addressin" throu"h 3CP* 1he followin" fi"ure showsthe confi"uration of the test en'iron!ent*

Hard$are and soft$are re)uirements1he followin" are reuired co!ponents of the test lab:

1he product disc for #indows &er'er 2008 or #indows &er'er 2008 +2*

1he product disc for #indows $ista >usiness, #indows $ista nterprise, or

#indows $ista 5lti!ate* Eou can also use the product discs for #indows - 3o!e Pre!iu!,

#indows - Professional, or #indows - 5lti!ate*

1he product disc for #indows &er'er 200) with &er'ice Pack 2 (&P2*

8/13/2019 NAP_DHCP

9/32

C. is a ser'er co!puter runnin" the #indows &er'er 200) &tandard dition operatin"

syste!* C. is confi"ured as a do!ain controller with Acti'e irectory and the pri!ary N&

ser'er for the intranet subnet*

2* Confi"ure NP&.*

NP&. is a ser'er co!puter runnin" #indows &er'er 2008 or #indows &er'er 2008 +2*

NP&. is confi"ured with the Network Policy &er'er (NP& ser'ice, which functions as a NAP

health policy ser'er and a +e!ote Authentication ial9in 5ser &er'ice (+A/5& ser'er*

NP&. will also be confi"ured with the 3CP ser'ice and function as a NAP enforce!ent

ser'er*

)* Confi"ure C6/N1.*

C6/N1. is a client co!puter runnin" #indows $ista or #indows -* C6/N1. will be

confi"ured as a 3CP client and a NAP client*

Eou !ust be lo""ed on as a !e!ber of the o!ain Ad!ins "roup or a !e!ber of the

Ad!inistrators "roup on each co!puter to co!plete the tasks described in this "uide* /f

you cannot co!plete a task while you are lo""ed on with an account that is a !e!ber of

the Ad!inistrators "roup, try perfor!in" the task while you are lo""ed on with an account

that is a !e!ber of the o!ain Ad!ins "roup*

After the NAP co!ponents are confi"ured, this "uide will pro'ide steps for a de!onstration of

NAP enforce!ent and auto9re!ediation* 1he followin" sections pro'ide details about how to

perfor! these tasks*

Configure DC*

C. is a co!puter runnin" #indows &er'er 200) &tandard dition with &P2, which pro'ides thefollowin" ser'ices:

A do!ain controller for the Contoso*co! Acti'e irectory do!ain*

A N& ser'er for the Contoso*co! N& do!ain*

C. confi"uration consists of the followin" steps:

/nstall the operatin" syste!*

Confi"ure 1CP=/P*

/nstall Acti'e irectory and N&*

Create a user account and "roup in Acti'e irectory*

Create a NAP client co!puter security "roup*

1he followin" sections e4plain these steps in detail*

!nsta%% te operating system on DC*

/nstall #indows &er'er 200) &tandard dition with &P2 as a stand9alone ser'er*

.* &tart your co!puter usin" the #indows &er'er 200) product disc*

NoteTo insta%% te operating system on DC*

9

8/13/2019 NAP_DHCP

10/32

2* #hen pro!pted for a co!puter na!e, type DC**

Configure TCP+!P on DC*

Confi"ure the 1CP=/P protocol with a static /P address of .B2*.8*0*. and the subnet !ask of

2@@*2@@*2@@*0*

.* Click Start, click 'un, and then type ncpa,cp%*

2* +i"ht9click Loca% Area Connection, and then click Properties*

)* Click !nternet Protoco% -TCP+!P., and then click Properties*

D* &elect /se te fo%%o$ing !P address* 1ype *01,*23,4,*ne4t to !P addressand

155,155,155,4ne4t to Subnet mas&*

@* $erify that Preferred DNS ser#eris blank*

* Click (6, click C%ose, and then close the Net$or& Connectionswindow*

Configure DC* as a domain contro%%er and DNS ser#er

C. will ser'e as the only do!ain controller and N& ser'er for the Contoso*co! do!ain*

.* 1o start the Acti'e irectory /nstallation #iard, click Start, click 'un, type dcpromo,

and then press N1+*

2* /n the Acti#e Directory !nsta%%ation 7i8arddialo" bo4, click Ne9t*

)*

8/13/2019 NAP_DHCP

11/32

.* After the co!puter is restarted, lo" in to the C

8/13/2019 NAP_DHCP

12/32

.* /n the Acti'e irectory 5sers and Co!puters console tree, ri"ht9click contoso,com,

point to Ne$, and then click Group*

2* /n the Ne$ (b;ect " Groupdialo" bo4, under Group name, type NAP c%ient

computers*

)* 5nder Group scope, choose G%oba%, under Group type, choose Security, and then

click (6*

D* Close the Acti'e irectory 5sers and Co!puters console*

Configure NPS*For the test lab, NP&. will be runnin" #indows &er'er 2008 or #indows &er'er 2008 +2, and

will host the NP& ser'ice, which pro'ides +A/5& authentication, authoriation, and accountin"*

NP&. confi"uration consists of the followin" steps:

/nstall the operatin" syste!* Confi"ure 1CP=/P*

oin the co!puter to the do!ain*

/nstall the NP& and 3CP ser'er roles*

/nstall the ?roup Policy Mana"e!ent feature*

Confi"ure NP& as a NAP health policy ser'er*

Confi"ure 3CP*

Confi"ure NAP client settin"s in ?roup Policy*

!nsta%% 7indo$s Ser#er 1443 or 7indo$s Ser#er 1443 '1

.* &tart your co!puter by usin" the #indows &er'er 2008 or #indows &er'er 2008 +2

product C*

2* #hen pro!pted for the installation type, choose Custom*

)* Follow the instructions that appear on your screen to finish the installation*

Configure TCP+!P properties on NPS*

.* Click Ser#er ?anager*

2* 5nder Ser#er Summary, click =ie$ Net$or& Connections*)* /n the Net$or& Connectionsdialo" bo4, ri"ht9click Loca% Area Connection, and

then click Properties*

D* /n the Loca% Area Connection Propertiesdialo" bo4, clear the !nternet Protoco%

=ersion 2 -TCP+!P#2.check bo4* 1his step will reduce the co!ple4ity of the lab,

particularly for those who are not fa!iliar with /P'*

@* /n the Loca% Area Connection Propertiesdialo" bo4, click !nternet Protoco%

To create a security group for NAP c%ient computersTo insta%% 7indo$s Ser#er 1443 or 7indo$s Ser#er 1443 '1 To configure TCP+!P properties on NP

12

8/13/2019 NAP_DHCP

13/32

=ersion @ -TCP+!P#@., and then click Properties*

* &elect /se te fo%%o$ing !P address* /n !P address, type *01,*23,4,1* /n Subnet

mas&, type 155,155,155,4*

-* &elect /se te fo%%o$ing DNS ser#er addresses* /n Preferred DNS ser#er, type*01,*23,4,**

8* Click (6, and then click C%oseto close the Loca% Area Connection Properties

dialo" bo4*

B* Close the Net$or& Connectionswindow*

.0* o not close the Ser#er ?anagerwindow* /t will be used in the ne4t procedure*

..* Ne4t, check network co!!unication between NP&. and C. by runnin" the ping

co!!and fro! NP&.*

.2* Click Start, click 'un, in (pentype cmd, and then press N1+*

.)* /n the co!!and window, type ping DC**

.D* $erify that the response reads G+eply fro! .B2*.8*0*.*H

.@* Close the co!!and window*

oin NPS* to te contoso,com domain

.* /n &er'er Mana"er, under Ser#er Summary, click Cange System Properties*

2* /n the System Propertiesdialo" bo4, on the Computer Nametab, click Cange*

)* /n the Computer Name+Domain Cangesdialo" bo4, under Computer name, type

NPS**

D* /n the Computer Name+Domain Cangesdialo" bo4, under ?ember of, choose

Domain, and then under Domain, type Contoso,com*

@* Click ?ore* 5nder Primary DNS suffi9 of tis computer, type Contoso,com, and

then click (6twice*

* #hen pro!pted for a user na!e and password, type /ser*and the password for the

user account that you added to the o!ain Ad!ins "roup, and then click (6*

-* #hen you see a dialo" bo4 that welco!es you to the Contoso*co! do!ain, click (6*

8* #hen you are pro!pted that you !ust restart the co!puter, click (6*

B*

8/13/2019 NAP_DHCP

14/32

5AC appro'al* #hen pro!pted, always click Continueto authorie these chan"es* Alternati'ely,

see theAppendi4of this "uide for instructions about how to set 5AC beha'ior of the ele'ation

pro!pt for ad!inistrators*

!nsta%% te NPS and DHCP ser#er ro%es

Ne4t, install the NP& and 3CP ser'er roles on NP&.*

.* Click Start, and then click Ser#er ?anager*

2* 5nder 'o%es Summary, click Add ro%es, and then click Ne9t*

)* , ne4t to Ending !P Address, type *01,*23,4,*4,

and ne4t to Subnet ?as&, type 155,155,155,4*

..* &elect the Acti#ate tis scopecheck bo4, click (6, and then click Ne9t*

.2*

8/13/2019 NAP_DHCP

15/32

.* /n &er'er Mana"er, under ased on the results of &3$ checks, health policies classify client health status* 1he

two health policies in this test lab correspond to a co!pliant health state and a nonco!pliant

health state*

Net$or& Po%icies* Network policies use conditions, settin"s, and constraints to

deter!ine who can connect to the network* 1here !ust be a network policy that will be

applied to co!puters that are co!pliant with the health reuire!ents, and a network policy

that will be applied to co!puters that are nonco!pliant* For this test lab, co!pliant client

co!puters will be allowed unrestricted network access* Clients deter!ined to be

nonco!pliant with health reuire!ents will ha'e their access restricted throu"h 3CP to

specify a restricted subnet* Nonco!pliant clients will also be optionally updated to a

co!pliant state and subseuently "ranted unrestricted network access*

Connection 'e)uest Po%icies* Connection reuest policies are conditions and settin"s

that 'alidate reuests for network access and "o'ern where this 'alidation is perfor!ed* /n

this test lab, a connection reuest policy is used that reuires 3CP as the network access

ser'er for client authentication*

'AD!/S C%ients and Ser#ers* +A/5& clients are network access ser'ers* /f you

specify a +A/5& client, then a correspondin" +A/5& ser'er entry is reuired on the

+A/5& client de'ice* +e!ote 3CP ser'ers are confi"ured as +A/5& clients on NP&* A

re!ote 3CP ser'er is not used in this test labI therefore, it will not be necessary toconfi"ure +A/5& clients and ser'ers*

'emediation Ser#er Groups* +e!ediation ser'er "roups allow you to specify ser'ers

that are !ade a'ailable to nonco!pliant NAP clients so that they can re!ediate their health

state and beco!e co!pliant with health reuire!ents* /f these ser'ers are reuired, they are

auto!atically a'ailable to co!puters on the restricted access subnet when you add the! to

To insta%% te NPS ser#er ro%e

15

8/13/2019 NAP_DHCP

16/32

re!ediation ser'er "roups* 1his test lab includes a de!onstration of the use of a re!ediation

ser'er "roup to pro'ide do!ain ser'ices to a client with restricted network access*

Configure NAP $it a $i8ard

1he NAP confi"uration wiard helps you to set up NP& as a NAP health policy ser'er* 1he wiard

pro'ides co!!only used settin"s for each NAP enforce!ent !ethod, and auto!atically creates

custo!ied NAP policies for use with your network desi"n* Eou can access the NAP confi"uration

wiard fro! the NP& console*

.* Click Start, click 'un, type nps,msc, and then press N1+*

2* /n the Network Policy &er'er console tree, click NPS -Loca%.*

)* /n the details pane, under Standard Configuration, click Configure NAP* 1he NAP

confi"uration wiard will start* &ee the followin" e4a!ple*

To configure NPS using te NAP $i8ard

16

8/13/2019 NAP_DHCP

17/32

D* ecause this NAP health policy ser'er has 3CP installed locally, we do not need to add

+A/5& clients*

*

8/13/2019 NAP_DHCP

18/32

=a%idatorand Enab%e auto"remediation of c%ient computerscheck bo4es are selected,

and then click Ne9t*

.0*

8/13/2019 NAP_DHCP

19/32

(6to close the 7indo$s Security Hea%t =a%idator Propertiesdialo" bo4*

* Close the Network Policy &er'er console*

.* /n the Network Policy &er'er console tree, open Net$or& Access

Protection=System Hea%t =a%idators=7indo$s Security Hea%t =a%idator=Settings*

2* /n the details pane, under Name, double9click Defau%t Configuration*

)* /n the 7indo$s Security Hea%t =a%idatordialo" bo4, in the left pane, select

7indo$s +7indo$s =ista, and then under Coose po%icy settings for 7indo$s

Security Hea%t =a%idator, clear all the check bo4es e4cept for A fire$a%% is enab%ed for

a%% net$or& connections*

D* Click (6to close the 7indo$s Security Hea%t =a%idatordialo" bo4, and then

close the Network Policy &er'er console*

Configure DHCP on NPS*NP&. is the !e!ber ser'er that will pro'ide 3CP addressin"* 1he 3CP ser'ice was partially

confi"ured durin" installation with &er'er Mana"er* #e will confi"ure scope options further for

NAP*

(pen te DHCP conso%e

.* Click Start, click 'un, type dcpmgmt,msc, and then press N1+*

2* 6ea'e this window open for all 3CP confi"uration tasks*

Enab%e NAP settings for te scope

First, enable the default NAP profile for the NAP scope*

.* /n the 3CP console, double9click nps*,contoso,com , and then double9click !P#@*

2* +i"ht9click Scope *01,*23,4,4 NAP Scope, and then click Properties*

)*

8/13/2019 NAP_DHCP

20/32

(ptions, and then click Configure (ptions*

2* ecause all co!puters in the test lab are located on

the sa!e subnet, this option is not reuired*

Configure te defau%t NAP c%ass

Ne4t, confi"ure scope options for the default network access protection class* 1hese ser'er

options are used when a nonco!pliant client co!puter atte!pts to access the network and obtain

an /P address fro! the 3CP ser'er*

.* /n the 3CP console tree, under Scope *01,*23,4,4 NAP Scope, ri"ht9click Scope

(ptions, and then click Configure (ptions*

2*

8/13/2019 NAP_DHCP

21/32

After these settin"s are confi"ured in the ?P

8/13/2019 NAP_DHCP

22/32

-* Close the ?PMC*

Note

C6/N1. will be added to the NAP client co!puters security "roup after it is 7oined to

the do!ain*

Configure CL!ENT*C6/N1. is a co!puter runnin" #indows $ista or #indows - that you will use to de!onstrate

how NAP can be used with 3CP to help protect a network fro! nonco!pliant client co!puters*

C6/N1. confi"uration is perfor!ed in the followin" steps:

/nstall the operatin" syste!*

Confi"ure 1CP=/P*

$erify network connecti'ity*

oin the co!puter to the do!ain*

Add C6/N1. to the NAP client co!puters security "roup and restart the co!puter*

nable 'unon the Start!enu*

$erify ?roup Policy settin"s*

1he followin" sections e4plain these steps in detail*

!nsta%% 7indo$s =ista on CL!ENT*

.* &tart your co!puter usin" the product discs for #indows $ista or #indows -*

2* #hen pro!pted for the installation type, choose Custom !nsta%%ation*)* #hen pro!pted for a co!puter na!e, type CL!ENT**

D*

8/13/2019 NAP_DHCP

23/32

D* Click !nternet Protoco% =ersion @ -TCP+!P#@., and then click Properties*

@* $erify that (btain an !P address automatica%%yand (btain DNS ser#er address

automatica%%yare selected*

* Click (6, and then click C%oseto close the Loca% Area Connection Propertiesdialo" bo4*

-* Close the Net$or& Connectionsand Net$or& and Saring Centerwindows*

Test net$or& connecti#ity for CL!ENT*

>ecause C6/N1. has not 7oined the do!ain, it has not yet recei'ed ?roup Policy settin"s to

start the NAP A"ent ser'ice* #hen the NAP A"ent ser'ice is not runnin", C6/N1. is e'aluated

as non9NAP9capable* >y default, the NAP confi"uration wiard pro'ides restricted access to non9

NAP9capable clients* +un the pingco!!and fro! C6/N1. to confir! the loss of network

co!!unication between C6/N1. and C.*

.* Click Start, click A%% Programs, click Accessories, ri"ht9click Command Prompt,

and then click 'un as administrator*

2* /n the co!!and window, type ping *01,*23,4,*, and then press N1+*

)* $erify that the response reads GP/N?: trans!it failed*H

D* /n the co!!and window, type ipconfig, and then press N1+*

@* /n the co!!and output, 'erify that the 'alue of Connection"specific DNS Suffi9is

restricted,contoso,com and that the 'alue of Subnet ?as&is 155,155,155,155*

C6/N1. is confi"ured with a classless network address, causin" its network access to

be restricted*

* /n the co!!and window, type route print "@, and then press N1+*-* /n the co!!and output, below Acti#e 'outes, 'erify that a Net$or& Destinationof

*01,*23,4,*is not displayed* >ecause C6/N1. has a classless network address and no

acti'e route to contact C., it does not ha'e access to do!ain ser'ices*

8* /n the co!!and output, below Acti#e 'outes, 'erify that a Net$or& Destinationof

*01,*23,4,1is displayed* 1his is the /P address of NP&., which ser'es as the NAP

3CP enforce!ent ser'er for the test lab* 1he NAP 3CP enforce!ent ser'er is

auto!atically a'ailable to clients on the restricted network* Eou do not ha'e to add this

ser'er to a re!ediation ser'er "roup*

B* 6ea'e the co!!and window open for the followin" procedure*

Configure DC* as a remediation ser#er

Ne4t, confi"ure C. as a re!ediation ser'er so that C6/N1. has access to N& and Acti'e

irectory when it is "ranted restricted access*

.*

8/13/2019 NAP_DHCP

24/32

Po%icies*

)* /n the details pane, double9click NAP DHCP Non NAP"Capab%e*

D*

8/13/2019 NAP_DHCP

25/32

oin CL!ENT* to te Contoso,com domain

>ecause C6/N1. now has access to do!ain ser'ices, it can be 7oined to the do!ain*

.* Click Start, ri"ht9click Computer, and then click Properties*

2* 5nder Computer name domain and $or&group settings, click Cange settings*

)* /n the System Propertiesdialo" bo4, click Cange*

D* /n the Computer Name+Domain Cangesdialo" bo4, select Domain, and then type

Contoso,com*

@* Click ?ore, and in Primary DNS suffi9 of tis computer, type Contoso,com*

* Click (6twice*

-* #hen pro!pted for a user na!e and password, type the user na!e and password

for the 5ser. account, and then click (6*

8* #hen you see a dialo" bo4 that welco!es you to the Contoso*co! do!ain, click (6*

B* #hen you see a dialo" bo4 that tells you that you !ust restart the co!puter to apply

chan"es, click (6*

.0* /n the System Propertiesdialo" bo4, click C%ose*

..* /n the dialo" bo4 that pro!pts you to restart the co!puter, click 'estart Later*

Note

>efore you restart the co!puter, you !ust add it to the NAP client co!puters security

"roup so that C6/N1. will recei'e NAP client settin"s fro! ?roup Policy*

Add CL!ENT* to te NAP c%ient computers security group

After 7oinin" the do!ain, C6/N1. !ust be added to the NAP client co!puters security "roup so

that it can recei'e NAP client settin"s*

.*

8/13/2019 NAP_DHCP

26/32

Enab%e 'un on te Start menu

1he runco!!and is useful for se'eral procedures in the test lab* 1o !ake it readily a'ailable, we

will enable 'unon the Start!enu*

.* After C6/N1. has been restarted, click S$itc /ser, click (ter /serand then lo"

on to the C

8/13/2019 NAP_DHCP

27/32

.*

8/13/2019 NAP_DHCP

28/32

>ecause auto9re!ediation occurs rapidly, you !i"ht not see one or both of these

!essa"es*

=erification of ea%t po%icy enforcement

Network health policy enforce!ent will be 'erified by confi"urin" an additional reuire!ent in

network policy that is not !et by C6/N1., and de!onstratin" that C6/N1. is subseuently

placed on the restricted network*

Configure 7SH= to re)uire an anti#irus app%icationConfi"ure NP&. so that anti'irus software is a reuire!ent for syste! health* >ecause no

anti'irus pro"ra! is installed on C6/N1. and the NAP client co!ponents cannot re!ediate its

health, C6/N1. will be nonco!pliant*

.*

8/13/2019 NAP_DHCP

29/32

Access Protection, then System Hea%t =a%idators*

2* 5nder Name, double9click 7indo$s Security Hea%t =a%idator*

)* /n the 7indo$s Security Hea%t =a%idator Propertiesdialo" bo4, click Configure*

D* /n the 7indo$s Security Hea%t =a%idatordialo" bo4, under =irus Protection,

select the An anti#irus app%ication is oncheck bo4*

@* Click (6, and then click (6a"ain to close the 7indo$s Security Hea%t =a%idator

Propertieswindow*

'e%ease and rene$ te !P address on CL!ENT*

1o ree'aluate the health state of C6/N1. a"ainst the new network health reuire!ents, turn

#indows Firewall off* C6/N1. will auto!atically re!ediate the #indows Firewall settin", but

because an anti'irus pro"ra! is not installed, the health reuire!ent for an anti'irus pro"ra!

cannot be !et* 1herefore, C6/N1. will re!ain in a nonco!pliant state and will obtain an /P

address confi"uration for the restricted network*

.*

8/13/2019 NAP_DHCP

30/32

Eou !i"ht see a !essa"e in the notification area that indicates the co!puter does not !eet the

corporate security reuire!ents*

=ie$ te c%ients restriction state $it Nets

Eou can also check the restriction state of the co!puter usin" a NAP Netsh co!!and*

.*

8/13/2019 NAP_DHCP

31/32

See A%sohttp:=="o*!icrosoft*co!=fwlink=J6ink/dK@DD)

Appendi9

1his appendi4 will help you with troubleshootin" techniues and the settin" of optional features in

#indows &er'er 2008 or #indows &er'er 2008 +2 and #indows $ista or #indows -*

Set /AC bea#ior of te e%e#ation prompt foradministrators

>y default, 5ser Account Control (5AC is enabled in #indows &er'er 2008 or #indows

&er'er 2008 +2 and #indows $ista or #indows -*1his ser'ice will pro!pt for per!ission to

continue durin" se'eral of the confi"uration tasks described in this "uide* /n all cases, you can

click Continuein the 5AC dialo" bo4 to "rant this per!ission, or you can use the followin"

procedure to chan"e the 5AC beha'ior of the ele'ation pro!pt for ad!inistrators*

.* Click Start, point to A%% Programs, click Accessories, and then click 'un*

2* 1ype secpo%,msc, and press N1+*

)* /n the /ser Account Contro%dialo" bo4, click Continue*

D* /n the left pane, double9click Loca% Po%icies, and then click Security (ptions*

@* /n the ri"ht pane, double9click /ser Account Contro%: Bea#ior of te e%e#ation

prompt for administrators in Admin Appro#a% ?ode *

* Fro! the drop9down list bo4, choose E%e#ate $itout prompting, and then click (6*

-* Close the Loca% Security Po%icywindow*

'e#ie$ NAP c%ient e#ents+e'iewin" infor!ation contained in NAP client e'ents can assist you with troubleshootin"* /t can

also help you to understand NAP client functionality*

.* Click Start, point to A%% Programs, click Accessories, and then click 'un*

2* 1ype e#ent#$r,msc, and press N1+*

)* /n the left tree, na'i"ate to E#ent =ie$er-Loca%.App%ications and Ser#ices

Logs?icrosoft7indo$sNet$or& Access Protection(perationa%*

D* Click an e'ent in the !iddle pane*

@* >y default, the Genera%tab is displayed* Click the Detai%stab to 'iew additional

infor!ation*

To set /AC bea#ior of te e%e#ation prompt for administratorsTo re#ie$ NAP c%ient e#ents in E#ent =ie$er

31

http://go.microsoft.com/fwlink/?LinkId=56443http://go.microsoft.com/fwlink/?LinkId=56443

8/13/2019 NAP_DHCP

32/32

* Eou can also ri"ht9click an e'ent and then click E#ent Propertiesto open a new

window for re'iewin" e'ents*

'e#ie$ NAP ser#er e#ents+e'iewin" infor!ation contained in #indows &yste! e'ents on your NAP ser'ers can assist you

with troubleshootin"* /t can also help you to understand NAP ser'er functionality*

.* Click Startand then click 'un*

2* 1ype e#ent#$r,msc, and press N1+*

)* /n the left tree, na'i"ate to E#ent =ie$er-Loca%.Custom =ie$sSer#er

'o%esNet$or& Po%icy and Access Ser#ices*

D* Click an e'ent in the !iddle pane*

@* >y default, the Genera%tab is displayed* Click the Detai%stab to 'iew additionalinfor!ation*

* Eou can also ri"ht9click an e'ent and then click E#ent Propertiesto open a new

window for re'iewin" e'ents*

To re#ie$ NAP ser#er e#ents in E#ent =ie$er