nap_dhcp
TRANSCRIPT
-
8/13/2019 NAP_DHCP
1/32
Step By Step Guide: Demonstrate DHCP NAPEnforcement in a Test Lab
Microsoft Corporation
Published: February 2008
Abstract
Network Access Protection (NAP is a new policy enforce!ent technolo"y in the #indows $ista%
and #indows &er'er% 2008 and #indows P with &er'ice Pack ) operatin" syste!s* (NAP can
also be deployed on co!puters runnin" #indows &er'er 2008 +2, #indows -, #indows &er'er20.2, and #indows 8* NAP pro'ides co!ponents and an application pro"ra!!in" interface
(AP/ set that help ad!inistrators enforce co!pliance with health reuire!ents for network
access and co!!unication* 1his paper contains an introduction to NAP and instructions for
settin" up a test lab to deploy NAP with the 3CP enforce!ent !ethod*
-
8/13/2019 NAP_DHCP
2/32
Copyrigt !nformation
1his docu!ent is pro'ided for infor!ational purposes only and Microsoft !akes no warranties,
either e4press or i!plied, in this docu!ent* /nfor!ation in this docu!ent, includin" 5+6 and other
/nternet #eb site references, is sub7ect to chan"e without notice* 1he entire risk of the use or the
results fro! the use of this docu!ent re!ains with the user* 5nless otherwise noted, the e4a!ple
co!panies, or"aniations, products, do!ain na!es, e9!ail addresses, lo"os, people, places, and
e'ents depicted herein are fictitious, and no association with any real co!pany, or"aniation,
product, do!ain na!e, e9!ail address, lo"o, person, place, or e'ent is intended or should be
inferred* Co!plyin" with all applicable copyri"ht laws is the responsibility of the user* #ithout
li!itin" the ri"hts under copyri"ht, no part of this docu!ent !ay be reproduced, stored in or
introduced into a retrie'al syste!, or trans!itted in any for! or by any !eans (electronic,
!echanical, photocopyin", recordin", or otherwise, or for any purpose, without the e4press
written per!ission of Microsoft Corporation*
Microsoft !ay ha'e patents, patent applications, trade!arks, copyri"hts, or other intellectual
property ri"hts co'erin" sub7ect !atter in this docu!ent* 4cept as e4pressly pro'ided in any
written license a"ree!ent fro! Microsoft, the furnishin" of this docu!ent does not "i'e you any
license to these patents, trade!arks, copyri"hts, or other intellectual property*
; 2008 Microsoft Corporation* All ri"hts reser'ed*
Microsoft, M&9
-
8/13/2019 NAP_DHCP
3/32
Contents
&tep >y &tep ?uide: e!onstrate 3CP NAP nforce!ent in a 1est 6ab******************************** ****.
Abstract************************************************************************************************************************************ .
Copyri"ht /nfor!ation**********************************************************************************************************************2
Contents******************************************************************************************************************************************)
&tep9by9&tep ?uide: e!onstrate 3CP NAP nforce!ent in a 1est 6ab*********************************** *@
/n this "uide******************************************************************************************************************************** * @
&cenario o'er'iew***********************************************************************************************************************
NAP enforce!ent processes****************************************************************************************************
Policy 'alidation********************************************************************************************************************
NAP enforce!ent and network restriction*****************************************************************************
+e!ediation************************************************************************************************************************** -
-
8/13/2019 NAP_DHCP
4/32
Confi"ure NAP client settin"s in ?roup Policy************************************************************************20
Confi"ure security filters for the NAP client settin"s ?P
-
8/13/2019 NAP_DHCP
5/32
Step"by"Step Guide: Demonstrate DHCP NAP
Enforcement in a Test LabNetwork Access Protection (NAP is a new technolo"y introduced in #indows $ista% and
#indows &er'er% 2008* (NAP can also be deployed on co!puters runnin" #indows
&er'er 2008 +2 and #indows -* NAP includes client and ser'er co!ponents that allow you to
create and enforce health reuire!ent policies that define the reuired software and syste!
confi"urations for co!puters that connect to your network* NAP enforces health reuire!ents by
inspectin" and assessin" the health of client co!puters, li!itin" network access when client
co!puters are dee!ed nonco!pliant, and re!ediatin" nonco!pliant client co!puters for
unrestricted network access* NAP enforces health reuire!ents on client co!puters that are
atte!ptin" to connect to a network* NAP also pro'ides on"oin" health co!pliance enforce!ent
while a co!pliant client co!puter is connected to a network*
/n addition, NAP pro'ides an application pro"ra!!in" interface (AP/ set that allows non9
Microsoft software 'endors to inte"rate their solutions into the NAP fra!ework*
NAP enforce!ent occurs at the !o!ent when client co!puters atte!pt to access the network
throu"h network access ser'ers, such as a $PN ser'er runnin" +outin" and +e!ote Access, or
when clients atte!pt to co!!unicate with other network resources* 1he way that NAP is
enforced depends on the enforce!ent !ethod you choose*
NAP enforces health reuire!ents for the followin":
/nternet Protocol security (/Psec9protected co!!unications
/nstitute of lectrical and lectronics n"ineers (/ 802*.9authenticated connections
$irtual pri'ate network ($PN connections yna!ic 3ost Confi"uration Protocol (3CP confi"uration
1er!inal &er'ices ?ateway (1& ?ateway
1he step9by9step instructions in this paper will show you how to deploy a NAP 3CP
enforce!ent test lab so that you can better understand how 3CP enforce!ent works*
!n tis guide1his paper contains an introduction to NAP and instructions for settin" up a test lab and deployin"
NAP with the 3CP enforce!ent !ethod usin" two ser'er co!puters and one client co!puter*
1he test lab lets you create and enforce client health reuire!ents usin" NAP and 3CP*
1he followin" instructions are for confi"urin" a test lab usin" the !ini!u! nu!ber of
co!puters* /ndi'idual co!puters are needed to separate the ser'ices pro'ided on the
network and to clearly show the desired functionality* 1his confi"uration is neither
desi"ned to reflect best practices nor does it reflect a desired or reco!!ended
confi"uration for a production network* 1he confi"uration, includin" /P addresses and all
other confi"uration para!eters, is desi"ned only to work on a separate test lab network*
!mportant
5
-
8/13/2019 NAP_DHCP
6/32
Scenario o#er#ie$/n this test lab, NAP enforce!ent for 3CP network access control is deployed with a ser'er
runnin" #indows &er'er 2008 or #indows &er'er 2008 +2 that has 3CP and the Network
Policy &er'er (NP& ser'ice installed, and a client co!puter runnin" #indows $ista or #indows -
with the NAP a"ent ser'ice runnin" and 3CP enforce!ent client co!ponent enabled* A
co!puter runnin" #indows &er'er% 200) is also used in the test lab as a do!ain controller and
N& ser'er* 1he test lab will de!onstrate how NAP9capable client co!puters are pro'ided
network access based on their co!pliance with network health reuire!ents*
NAP enforcement processes
&e'eral processes are reuired for NAP to function properly: policy 'alidation, NAP enforce!ent
and network restriction, re!ediation, and on"oin" !onitorin" to ensure co!pliance*
Po%icy #a%idation
&yste! health 'alidators (&3$s are used by NP& to analye the health status of client
co!puters* &3$s are incorporated into network polices that deter!ine actions to be taken based
on client health status, such as the "rantin" of full network access or the restrictin" of network
access* 3ealth status is !onitored by client9side NAP co!ponents called syste! health a"ents
(&3As* NAP uses &3As and &3$s to !onitor, enforce, and re!ediate client co!puter
confi"urations*
#indows &ecurity 3ealth A"ent (#&3A and #indows &ecurity 3ealth $alidator (#&3$ are
included with the #indows $ista, #indows &er'er 2008, #indows -, and #indows
&er'er 2008 +2 operatin" syste!s, and enforce the followin" settin"s for NAP9capable
co!puters:
1he client co!puter has firewall software installed and enabled* 1he client co!puter has anti'irus software installed and runnin"*
1he client co!puter has current anti'irus updates installed*
1he client co!puter has antispyware software installed and runnin"*
1he client co!puter has current antispyware updates installed*
Microsoft 5pdate &er'ices is enabled on the client co!puter*
/n addition, if NAP9capable client co!puters are runnin" #indows 5pdate A"ent, NAP can 'erify
that the !ost recent software security updates are installed based on one of four possible 'alues
that !atch security se'erity ratin"s fro! the Microsoft &ecurity +esponse Center (M&+C*
1his test lab will use the #&3A and #&3$ to reuire that client co!puters ha'e turned on
#indows Firewall, and ha'e an anti'irus application installed*
NAP enforcement and net$or& restriction
NAP enforce!ent settin"s allow you to li!it network access of nonco!pliant clients to a restricted
network, to defer restriction to a later date, or to !erely obser'e and lo" the health status of NAP9
capable client co!puters* 1he followin" settin"s are a'ailable:
6
-
8/13/2019 NAP_DHCP
7/32
A%%o$ fu%% net$or& access* 1his is the default settin"* Clients that !atch the policy
conditions are dee!ed co!pliant with network health reuire!ents, and are "ranted
unrestricted access to the network if the connection reuest is authenticated and authoried*
1he health co!pliance status of NAP9capable client co!puters is lo""ed*
A%%o$ %imited access* Client co!puters that !atch the policy conditions are dee!ed
nonco!pliant with network health reuire!ents, and are placed on the restricted network*
A%%o$ fu%% net$or& access for a %imited time* Clients that !atch the policy conditions
are te!porarily "ranted full network access* NAP enforce!ent is delayed until the specified
date and ti!e*
Eou will create two network policies in this test lab* A co!pliant policy will "rant full network
access to an intranet network se"!ent* A nonco!pliant policy will de!onstrate network restriction
by issuin" a 1CP=/P confi"uration to the client co!puter that places it on a restricted network*
'emediation
Nonco!pliant client co!puters that are placed on a restricted network !i"ht under"o
re!ediation* +e!ediation is the process of updatin" a client co!puter so that it !eets current
health reuire!ents* /f additional resources are reuired for a nonco!pliant co!puter to update
its health state, these resources !ust be pro'ided on the restricted network* For e4a!ple, a
restricted network !i"ht contain a File 1ransfer Protocol (F1P ser'er that pro'ides current 'irus
si"natures so that nonco!pliant client co!puters can update their outdated si"natures*
Eou can use NAP settin"s in NP& network policies to confi"ure auto!atic re!ediation so that
NAP client co!ponents auto!atically atte!pt to update the client co!puter when it is
nonco!pliant*
1his test lab includes a de!onstration of auto!atic re!ediation* 1he Enab%e auto"remediation
of c%ient computerssettin" will be enabled in the nonco!pliant network policy, which will cause
#indows Firewall to be turned on without user inter'ention*
(ngoing monitoring to ensure comp%iance
NAP can enforce health co!pliance on co!pliant client co!puters that are already connected to
the network* 1his functionality is useful for ensurin" that a network is protected on an on"oin"
basis as health policies and the health of client co!puters chan"e* Client co!puters are
!onitored when their health state chan"es, and when they initiate reuests for network
resources* 1his test lab includes a de!onstration of on"oin" !onitorin" when the clients 3CP9
issued address is renewed* 1he NAP client co!puter sends a state!ent of health (&o3 with the
3CP address reuest, and is "ranted full or restricted access based on its current health state*
DHCP NAP enforcement o#er#ie$1he test en'iron!ent described in this "uide includes a do!ain controller runnin" #indows
&er'er 200), a !e!ber ser'er runnin" #indows &er'er 2008 or #indows &er'er 2008 +2, and a
client co!puter runnin" #indows $ista or #indows -* 1he do!ain controller, !e!ber ser'er, and
the client co!puter co!pose a pri'ate intranet and are connected throu"h a co!!on hub or
layer 2 switch* Pri'ate addresses are used throu"hout the test lab confi"uration* 1he pri'ate
7
-
8/13/2019 NAP_DHCP
8/32
network / .B2*.8*0*0=2D is used for the intranet* 1he do!ain controller is na!ed C. and is
the pri!ary do!ain controller for the do!ain na!ed Contoso*co!* 1he !e!ber ser'er is na!ed
NP&. and is confi"ured as a 3CP ser'er and a network policy ser'er* 1he client is na!ed
C6/N1. and is confi"ured for auto!atic addressin" throu"h 3CP* 1he followin" fi"ure showsthe confi"uration of the test en'iron!ent*
Hard$are and soft$are re)uirements1he followin" are reuired co!ponents of the test lab:
1he product disc for #indows &er'er 2008 or #indows &er'er 2008 +2*
1he product disc for #indows $ista >usiness, #indows $ista nterprise, or
#indows $ista 5lti!ate* Eou can also use the product discs for #indows - 3o!e Pre!iu!,
#indows - Professional, or #indows - 5lti!ate*
1he product disc for #indows &er'er 200) with &er'ice Pack 2 (&P2*
-
8/13/2019 NAP_DHCP
9/32
C. is a ser'er co!puter runnin" the #indows &er'er 200) &tandard dition operatin"
syste!* C. is confi"ured as a do!ain controller with Acti'e irectory and the pri!ary N&
ser'er for the intranet subnet*
2* Confi"ure NP&.*
NP&. is a ser'er co!puter runnin" #indows &er'er 2008 or #indows &er'er 2008 +2*
NP&. is confi"ured with the Network Policy &er'er (NP& ser'ice, which functions as a NAP
health policy ser'er and a +e!ote Authentication ial9in 5ser &er'ice (+A/5& ser'er*
NP&. will also be confi"ured with the 3CP ser'ice and function as a NAP enforce!ent
ser'er*
)* Confi"ure C6/N1.*
C6/N1. is a client co!puter runnin" #indows $ista or #indows -* C6/N1. will be
confi"ured as a 3CP client and a NAP client*
Eou !ust be lo""ed on as a !e!ber of the o!ain Ad!ins "roup or a !e!ber of the
Ad!inistrators "roup on each co!puter to co!plete the tasks described in this "uide* /f
you cannot co!plete a task while you are lo""ed on with an account that is a !e!ber of
the Ad!inistrators "roup, try perfor!in" the task while you are lo""ed on with an account
that is a !e!ber of the o!ain Ad!ins "roup*
After the NAP co!ponents are confi"ured, this "uide will pro'ide steps for a de!onstration of
NAP enforce!ent and auto9re!ediation* 1he followin" sections pro'ide details about how to
perfor! these tasks*
Configure DC*
C. is a co!puter runnin" #indows &er'er 200) &tandard dition with &P2, which pro'ides thefollowin" ser'ices:
A do!ain controller for the Contoso*co! Acti'e irectory do!ain*
A N& ser'er for the Contoso*co! N& do!ain*
C. confi"uration consists of the followin" steps:
/nstall the operatin" syste!*
Confi"ure 1CP=/P*
/nstall Acti'e irectory and N&*
Create a user account and "roup in Acti'e irectory*
Create a NAP client co!puter security "roup*
1he followin" sections e4plain these steps in detail*
!nsta%% te operating system on DC*
/nstall #indows &er'er 200) &tandard dition with &P2 as a stand9alone ser'er*
.* &tart your co!puter usin" the #indows &er'er 200) product disc*
NoteTo insta%% te operating system on DC*
9
-
8/13/2019 NAP_DHCP
10/32
2* #hen pro!pted for a co!puter na!e, type DC**
Configure TCP+!P on DC*
Confi"ure the 1CP=/P protocol with a static /P address of .B2*.8*0*. and the subnet !ask of
2@@*2@@*2@@*0*
.* Click Start, click 'un, and then type ncpa,cp%*
2* +i"ht9click Loca% Area Connection, and then click Properties*
)* Click !nternet Protoco% -TCP+!P., and then click Properties*
D* &elect /se te fo%%o$ing !P address* 1ype *01,*23,4,*ne4t to !P addressand
155,155,155,4ne4t to Subnet mas&*
@* $erify that Preferred DNS ser#eris blank*
* Click (6, click C%ose, and then close the Net$or& Connectionswindow*
Configure DC* as a domain contro%%er and DNS ser#er
C. will ser'e as the only do!ain controller and N& ser'er for the Contoso*co! do!ain*
.* 1o start the Acti'e irectory /nstallation #iard, click Start, click 'un, type dcpromo,
and then press N1+*
2* /n the Acti#e Directory !nsta%%ation 7i8arddialo" bo4, click Ne9t*
)*
-
8/13/2019 NAP_DHCP
11/32
.* After the co!puter is restarted, lo" in to the C
-
8/13/2019 NAP_DHCP
12/32
.* /n the Acti'e irectory 5sers and Co!puters console tree, ri"ht9click contoso,com,
point to Ne$, and then click Group*
2* /n the Ne$ (b;ect " Groupdialo" bo4, under Group name, type NAP c%ient
computers*
)* 5nder Group scope, choose G%oba%, under Group type, choose Security, and then
click (6*
D* Close the Acti'e irectory 5sers and Co!puters console*
Configure NPS*For the test lab, NP&. will be runnin" #indows &er'er 2008 or #indows &er'er 2008 +2, and
will host the NP& ser'ice, which pro'ides +A/5& authentication, authoriation, and accountin"*
NP&. confi"uration consists of the followin" steps:
/nstall the operatin" syste!* Confi"ure 1CP=/P*
oin the co!puter to the do!ain*
/nstall the NP& and 3CP ser'er roles*
/nstall the ?roup Policy Mana"e!ent feature*
Confi"ure NP& as a NAP health policy ser'er*
Confi"ure 3CP*
Confi"ure NAP client settin"s in ?roup Policy*
!nsta%% 7indo$s Ser#er 1443 or 7indo$s Ser#er 1443 '1
.* &tart your co!puter by usin" the #indows &er'er 2008 or #indows &er'er 2008 +2
product C*
2* #hen pro!pted for the installation type, choose Custom*
)* Follow the instructions that appear on your screen to finish the installation*
Configure TCP+!P properties on NPS*
.* Click Ser#er ?anager*
2* 5nder Ser#er Summary, click =ie$ Net$or& Connections*)* /n the Net$or& Connectionsdialo" bo4, ri"ht9click Loca% Area Connection, and
then click Properties*
D* /n the Loca% Area Connection Propertiesdialo" bo4, clear the !nternet Protoco%
=ersion 2 -TCP+!P#2.check bo4* 1his step will reduce the co!ple4ity of the lab,
particularly for those who are not fa!iliar with /P'*
@* /n the Loca% Area Connection Propertiesdialo" bo4, click !nternet Protoco%
To create a security group for NAP c%ient computersTo insta%% 7indo$s Ser#er 1443 or 7indo$s Ser#er 1443 '1 To configure TCP+!P properties on NP
12
-
8/13/2019 NAP_DHCP
13/32
=ersion @ -TCP+!P#@., and then click Properties*
* &elect /se te fo%%o$ing !P address* /n !P address, type *01,*23,4,1* /n Subnet
mas&, type 155,155,155,4*
-* &elect /se te fo%%o$ing DNS ser#er addresses* /n Preferred DNS ser#er, type*01,*23,4,**
8* Click (6, and then click C%oseto close the Loca% Area Connection Properties
dialo" bo4*
B* Close the Net$or& Connectionswindow*
.0* o not close the Ser#er ?anagerwindow* /t will be used in the ne4t procedure*
..* Ne4t, check network co!!unication between NP&. and C. by runnin" the ping
co!!and fro! NP&.*
.2* Click Start, click 'un, in (pentype cmd, and then press N1+*
.)* /n the co!!and window, type ping DC**
.D* $erify that the response reads G+eply fro! .B2*.8*0*.*H
.@* Close the co!!and window*
oin NPS* to te contoso,com domain
.* /n &er'er Mana"er, under Ser#er Summary, click Cange System Properties*
2* /n the System Propertiesdialo" bo4, on the Computer Nametab, click Cange*
)* /n the Computer Name+Domain Cangesdialo" bo4, under Computer name, type
NPS**
D* /n the Computer Name+Domain Cangesdialo" bo4, under ?ember of, choose
Domain, and then under Domain, type Contoso,com*
@* Click ?ore* 5nder Primary DNS suffi9 of tis computer, type Contoso,com, and
then click (6twice*
* #hen pro!pted for a user na!e and password, type /ser*and the password for the
user account that you added to the o!ain Ad!ins "roup, and then click (6*
-* #hen you see a dialo" bo4 that welco!es you to the Contoso*co! do!ain, click (6*
8* #hen you are pro!pted that you !ust restart the co!puter, click (6*
B*
-
8/13/2019 NAP_DHCP
14/32
5AC appro'al* #hen pro!pted, always click Continueto authorie these chan"es* Alternati'ely,
see theAppendi4of this "uide for instructions about how to set 5AC beha'ior of the ele'ation
pro!pt for ad!inistrators*
!nsta%% te NPS and DHCP ser#er ro%es
Ne4t, install the NP& and 3CP ser'er roles on NP&.*
.* Click Start, and then click Ser#er ?anager*
2* 5nder 'o%es Summary, click Add ro%es, and then click Ne9t*
)* , ne4t to Ending !P Address, type *01,*23,4,*4,
and ne4t to Subnet ?as&, type 155,155,155,4*
..* &elect the Acti#ate tis scopecheck bo4, click (6, and then click Ne9t*
.2*
-
8/13/2019 NAP_DHCP
15/32
.* /n &er'er Mana"er, under ased on the results of &3$ checks, health policies classify client health status* 1he
two health policies in this test lab correspond to a co!pliant health state and a nonco!pliant
health state*
Net$or& Po%icies* Network policies use conditions, settin"s, and constraints to
deter!ine who can connect to the network* 1here !ust be a network policy that will be
applied to co!puters that are co!pliant with the health reuire!ents, and a network policy
that will be applied to co!puters that are nonco!pliant* For this test lab, co!pliant client
co!puters will be allowed unrestricted network access* Clients deter!ined to be
nonco!pliant with health reuire!ents will ha'e their access restricted throu"h 3CP to
specify a restricted subnet* Nonco!pliant clients will also be optionally updated to a
co!pliant state and subseuently "ranted unrestricted network access*
Connection 'e)uest Po%icies* Connection reuest policies are conditions and settin"s
that 'alidate reuests for network access and "o'ern where this 'alidation is perfor!ed* /n
this test lab, a connection reuest policy is used that reuires 3CP as the network access
ser'er for client authentication*
'AD!/S C%ients and Ser#ers* +A/5& clients are network access ser'ers* /f you
specify a +A/5& client, then a correspondin" +A/5& ser'er entry is reuired on the
+A/5& client de'ice* +e!ote 3CP ser'ers are confi"ured as +A/5& clients on NP&* A
re!ote 3CP ser'er is not used in this test labI therefore, it will not be necessary toconfi"ure +A/5& clients and ser'ers*
'emediation Ser#er Groups* +e!ediation ser'er "roups allow you to specify ser'ers
that are !ade a'ailable to nonco!pliant NAP clients so that they can re!ediate their health
state and beco!e co!pliant with health reuire!ents* /f these ser'ers are reuired, they are
auto!atically a'ailable to co!puters on the restricted access subnet when you add the! to
To insta%% te NPS ser#er ro%e
15
-
8/13/2019 NAP_DHCP
16/32
re!ediation ser'er "roups* 1his test lab includes a de!onstration of the use of a re!ediation
ser'er "roup to pro'ide do!ain ser'ices to a client with restricted network access*
Configure NAP $it a $i8ard
1he NAP confi"uration wiard helps you to set up NP& as a NAP health policy ser'er* 1he wiard
pro'ides co!!only used settin"s for each NAP enforce!ent !ethod, and auto!atically creates
custo!ied NAP policies for use with your network desi"n* Eou can access the NAP confi"uration
wiard fro! the NP& console*
.* Click Start, click 'un, type nps,msc, and then press N1+*
2* /n the Network Policy &er'er console tree, click NPS -Loca%.*
)* /n the details pane, under Standard Configuration, click Configure NAP* 1he NAP
confi"uration wiard will start* &ee the followin" e4a!ple*
To configure NPS using te NAP $i8ard
16
-
8/13/2019 NAP_DHCP
17/32
D* ecause this NAP health policy ser'er has 3CP installed locally, we do not need to add
+A/5& clients*
*
-
8/13/2019 NAP_DHCP
18/32
=a%idatorand Enab%e auto"remediation of c%ient computerscheck bo4es are selected,
and then click Ne9t*
.0*
-
8/13/2019 NAP_DHCP
19/32
(6to close the 7indo$s Security Hea%t =a%idator Propertiesdialo" bo4*
* Close the Network Policy &er'er console*
.* /n the Network Policy &er'er console tree, open Net$or& Access
Protection=System Hea%t =a%idators=7indo$s Security Hea%t =a%idator=Settings*
2* /n the details pane, under Name, double9click Defau%t Configuration*
)* /n the 7indo$s Security Hea%t =a%idatordialo" bo4, in the left pane, select
7indo$s +7indo$s =ista, and then under Coose po%icy settings for 7indo$s
Security Hea%t =a%idator, clear all the check bo4es e4cept for A fire$a%% is enab%ed for
a%% net$or& connections*
D* Click (6to close the 7indo$s Security Hea%t =a%idatordialo" bo4, and then
close the Network Policy &er'er console*
Configure DHCP on NPS*NP&. is the !e!ber ser'er that will pro'ide 3CP addressin"* 1he 3CP ser'ice was partially
confi"ured durin" installation with &er'er Mana"er* #e will confi"ure scope options further for
NAP*
(pen te DHCP conso%e
.* Click Start, click 'un, type dcpmgmt,msc, and then press N1+*
2* 6ea'e this window open for all 3CP confi"uration tasks*
Enab%e NAP settings for te scope
First, enable the default NAP profile for the NAP scope*
.* /n the 3CP console, double9click nps*,contoso,com , and then double9click !P#@*
2* +i"ht9click Scope *01,*23,4,4 NAP Scope, and then click Properties*
)*
-
8/13/2019 NAP_DHCP
20/32
(ptions, and then click Configure (ptions*
2* ecause all co!puters in the test lab are located on
the sa!e subnet, this option is not reuired*
Configure te defau%t NAP c%ass
Ne4t, confi"ure scope options for the default network access protection class* 1hese ser'er
options are used when a nonco!pliant client co!puter atte!pts to access the network and obtain
an /P address fro! the 3CP ser'er*
.* /n the 3CP console tree, under Scope *01,*23,4,4 NAP Scope, ri"ht9click Scope
(ptions, and then click Configure (ptions*
2*
-
8/13/2019 NAP_DHCP
21/32
After these settin"s are confi"ured in the ?P
-
8/13/2019 NAP_DHCP
22/32
-* Close the ?PMC*
Note
C6/N1. will be added to the NAP client co!puters security "roup after it is 7oined to
the do!ain*
Configure CL!ENT*C6/N1. is a co!puter runnin" #indows $ista or #indows - that you will use to de!onstrate
how NAP can be used with 3CP to help protect a network fro! nonco!pliant client co!puters*
C6/N1. confi"uration is perfor!ed in the followin" steps:
/nstall the operatin" syste!*
Confi"ure 1CP=/P*
$erify network connecti'ity*
oin the co!puter to the do!ain*
Add C6/N1. to the NAP client co!puters security "roup and restart the co!puter*
nable 'unon the Start!enu*
$erify ?roup Policy settin"s*
1he followin" sections e4plain these steps in detail*
!nsta%% 7indo$s =ista on CL!ENT*
.* &tart your co!puter usin" the product discs for #indows $ista or #indows -*
2* #hen pro!pted for the installation type, choose Custom !nsta%%ation*)* #hen pro!pted for a co!puter na!e, type CL!ENT**
D*
-
8/13/2019 NAP_DHCP
23/32
D* Click !nternet Protoco% =ersion @ -TCP+!P#@., and then click Properties*
@* $erify that (btain an !P address automatica%%yand (btain DNS ser#er address
automatica%%yare selected*
* Click (6, and then click C%oseto close the Loca% Area Connection Propertiesdialo" bo4*
-* Close the Net$or& Connectionsand Net$or& and Saring Centerwindows*
Test net$or& connecti#ity for CL!ENT*
>ecause C6/N1. has not 7oined the do!ain, it has not yet recei'ed ?roup Policy settin"s to
start the NAP A"ent ser'ice* #hen the NAP A"ent ser'ice is not runnin", C6/N1. is e'aluated
as non9NAP9capable* >y default, the NAP confi"uration wiard pro'ides restricted access to non9
NAP9capable clients* +un the pingco!!and fro! C6/N1. to confir! the loss of network
co!!unication between C6/N1. and C.*
.* Click Start, click A%% Programs, click Accessories, ri"ht9click Command Prompt,
and then click 'un as administrator*
2* /n the co!!and window, type ping *01,*23,4,*, and then press N1+*
)* $erify that the response reads GP/N?: trans!it failed*H
D* /n the co!!and window, type ipconfig, and then press N1+*
@* /n the co!!and output, 'erify that the 'alue of Connection"specific DNS Suffi9is
restricted,contoso,com and that the 'alue of Subnet ?as&is 155,155,155,155*
C6/N1. is confi"ured with a classless network address, causin" its network access to
be restricted*
* /n the co!!and window, type route print "@, and then press N1+*-* /n the co!!and output, below Acti#e 'outes, 'erify that a Net$or& Destinationof
*01,*23,4,*is not displayed* >ecause C6/N1. has a classless network address and no
acti'e route to contact C., it does not ha'e access to do!ain ser'ices*
8* /n the co!!and output, below Acti#e 'outes, 'erify that a Net$or& Destinationof
*01,*23,4,1is displayed* 1his is the /P address of NP&., which ser'es as the NAP
3CP enforce!ent ser'er for the test lab* 1he NAP 3CP enforce!ent ser'er is
auto!atically a'ailable to clients on the restricted network* Eou do not ha'e to add this
ser'er to a re!ediation ser'er "roup*
B* 6ea'e the co!!and window open for the followin" procedure*
Configure DC* as a remediation ser#er
Ne4t, confi"ure C. as a re!ediation ser'er so that C6/N1. has access to N& and Acti'e
irectory when it is "ranted restricted access*
.*
-
8/13/2019 NAP_DHCP
24/32
Po%icies*
)* /n the details pane, double9click NAP DHCP Non NAP"Capab%e*
D*
-
8/13/2019 NAP_DHCP
25/32
oin CL!ENT* to te Contoso,com domain
>ecause C6/N1. now has access to do!ain ser'ices, it can be 7oined to the do!ain*
.* Click Start, ri"ht9click Computer, and then click Properties*
2* 5nder Computer name domain and $or&group settings, click Cange settings*
)* /n the System Propertiesdialo" bo4, click Cange*
D* /n the Computer Name+Domain Cangesdialo" bo4, select Domain, and then type
Contoso,com*
@* Click ?ore, and in Primary DNS suffi9 of tis computer, type Contoso,com*
* Click (6twice*
-* #hen pro!pted for a user na!e and password, type the user na!e and password
for the 5ser. account, and then click (6*
8* #hen you see a dialo" bo4 that welco!es you to the Contoso*co! do!ain, click (6*
B* #hen you see a dialo" bo4 that tells you that you !ust restart the co!puter to apply
chan"es, click (6*
.0* /n the System Propertiesdialo" bo4, click C%ose*
..* /n the dialo" bo4 that pro!pts you to restart the co!puter, click 'estart Later*
Note
>efore you restart the co!puter, you !ust add it to the NAP client co!puters security
"roup so that C6/N1. will recei'e NAP client settin"s fro! ?roup Policy*
Add CL!ENT* to te NAP c%ient computers security group
After 7oinin" the do!ain, C6/N1. !ust be added to the NAP client co!puters security "roup so
that it can recei'e NAP client settin"s*
.*
-
8/13/2019 NAP_DHCP
26/32
Enab%e 'un on te Start menu
1he runco!!and is useful for se'eral procedures in the test lab* 1o !ake it readily a'ailable, we
will enable 'unon the Start!enu*
.* After C6/N1. has been restarted, click S$itc /ser, click (ter /serand then lo"
on to the C
-
8/13/2019 NAP_DHCP
27/32
.*
-
8/13/2019 NAP_DHCP
28/32
>ecause auto9re!ediation occurs rapidly, you !i"ht not see one or both of these
!essa"es*
=erification of ea%t po%icy enforcement
Network health policy enforce!ent will be 'erified by confi"urin" an additional reuire!ent in
network policy that is not !et by C6/N1., and de!onstratin" that C6/N1. is subseuently
placed on the restricted network*
Configure 7SH= to re)uire an anti#irus app%icationConfi"ure NP&. so that anti'irus software is a reuire!ent for syste! health* >ecause no
anti'irus pro"ra! is installed on C6/N1. and the NAP client co!ponents cannot re!ediate its
health, C6/N1. will be nonco!pliant*
.*
-
8/13/2019 NAP_DHCP
29/32
Access Protection, then System Hea%t =a%idators*
2* 5nder Name, double9click 7indo$s Security Hea%t =a%idator*
)* /n the 7indo$s Security Hea%t =a%idator Propertiesdialo" bo4, click Configure*
D* /n the 7indo$s Security Hea%t =a%idatordialo" bo4, under =irus Protection,
select the An anti#irus app%ication is oncheck bo4*
@* Click (6, and then click (6a"ain to close the 7indo$s Security Hea%t =a%idator
Propertieswindow*
'e%ease and rene$ te !P address on CL!ENT*
1o ree'aluate the health state of C6/N1. a"ainst the new network health reuire!ents, turn
#indows Firewall off* C6/N1. will auto!atically re!ediate the #indows Firewall settin", but
because an anti'irus pro"ra! is not installed, the health reuire!ent for an anti'irus pro"ra!
cannot be !et* 1herefore, C6/N1. will re!ain in a nonco!pliant state and will obtain an /P
address confi"uration for the restricted network*
.*
-
8/13/2019 NAP_DHCP
30/32
Eou !i"ht see a !essa"e in the notification area that indicates the co!puter does not !eet the
corporate security reuire!ents*
=ie$ te c%ients restriction state $it Nets
Eou can also check the restriction state of the co!puter usin" a NAP Netsh co!!and*
.*
-
8/13/2019 NAP_DHCP
31/32
See A%sohttp:=="o*!icrosoft*co!=fwlink=J6ink/dK@DD)
Appendi9
1his appendi4 will help you with troubleshootin" techniues and the settin" of optional features in
#indows &er'er 2008 or #indows &er'er 2008 +2 and #indows $ista or #indows -*
Set /AC bea#ior of te e%e#ation prompt foradministrators
>y default, 5ser Account Control (5AC is enabled in #indows &er'er 2008 or #indows
&er'er 2008 +2 and #indows $ista or #indows -*1his ser'ice will pro!pt for per!ission to
continue durin" se'eral of the confi"uration tasks described in this "uide* /n all cases, you can
click Continuein the 5AC dialo" bo4 to "rant this per!ission, or you can use the followin"
procedure to chan"e the 5AC beha'ior of the ele'ation pro!pt for ad!inistrators*
.* Click Start, point to A%% Programs, click Accessories, and then click 'un*
2* 1ype secpo%,msc, and press N1+*
)* /n the /ser Account Contro%dialo" bo4, click Continue*
D* /n the left pane, double9click Loca% Po%icies, and then click Security (ptions*
@* /n the ri"ht pane, double9click /ser Account Contro%: Bea#ior of te e%e#ation
prompt for administrators in Admin Appro#a% ?ode *
* Fro! the drop9down list bo4, choose E%e#ate $itout prompting, and then click (6*
-* Close the Loca% Security Po%icywindow*
'e#ie$ NAP c%ient e#ents+e'iewin" infor!ation contained in NAP client e'ents can assist you with troubleshootin"* /t can
also help you to understand NAP client functionality*
.* Click Start, point to A%% Programs, click Accessories, and then click 'un*
2* 1ype e#ent#$r,msc, and press N1+*
)* /n the left tree, na'i"ate to E#ent =ie$er-Loca%.App%ications and Ser#ices
Logs?icrosoft7indo$sNet$or& Access Protection(perationa%*
D* Click an e'ent in the !iddle pane*
@* >y default, the Genera%tab is displayed* Click the Detai%stab to 'iew additional
infor!ation*
To set /AC bea#ior of te e%e#ation prompt for administratorsTo re#ie$ NAP c%ient e#ents in E#ent =ie$er
31
http://go.microsoft.com/fwlink/?LinkId=56443http://go.microsoft.com/fwlink/?LinkId=56443 -
8/13/2019 NAP_DHCP
32/32
* Eou can also ri"ht9click an e'ent and then click E#ent Propertiesto open a new
window for re'iewin" e'ents*
'e#ie$ NAP ser#er e#ents+e'iewin" infor!ation contained in #indows &yste! e'ents on your NAP ser'ers can assist you
with troubleshootin"* /t can also help you to understand NAP ser'er functionality*
.* Click Startand then click 'un*
2* 1ype e#ent#$r,msc, and press N1+*
)* /n the left tree, na'i"ate to E#ent =ie$er-Loca%.Custom =ie$sSer#er
'o%esNet$or& Po%icy and Access Ser#ices*
D* Click an e'ent in the !iddle pane*
@* >y default, the Genera%tab is displayed* Click the Detai%stab to 'iew additionalinfor!ation*
* Eou can also ri"ht9click an e'ent and then click E#ent Propertiesto open a new
window for re'iewin" e'ents*
To re#ie$ NAP ser#er e#ents in E#ent =ie$er