Executive Summary:
Microsoft Windows Server 2008 uses Network Access Protection (NAP) technology to ensure network security by enforcing compliance policies before client computers can access network resources. If a client computer doesn’t meet security requirements, NAP places the computer in quarantine or denies the computer network access.
|
In considering LAN security, we mostly think
about preventing an attacker from accessing
network resources. The reason for this focus is
simple: Most attacks are initiated from the Internet
and are directed at breaking into private networks.
However, an equally large security issue that
administrators must address is preventing regular
(i.e., authenticated and authorized) network users
from using computers with weak security configurations
to access network resources. For example,
a traveling employee might have a laptop that
only occasionally uses the VPN to connect to the
corporate LAN—but this laptop still needs all the
current security fixes, antispyware, and antivirus
definitions installed. Otherwise, such a computer
is a likely source to spread viruses or worms on
the network. If a computer doesn’t have a firewall
enabled and becomes infected with Trojan-like
software, the computer can provide unauthorized
persons with easy access to local network
resources. Employees’ home computers that use
the VPN to access the corporate LAN and that
aren’t managed properly provide a similar risk.
Finally, letting visitors connect their computers to
your local network, even just to provide them with
Internet access, can put other hosts on the network
at risk for infection with viruses or other kinds of
malicious code.
The question is: How do you check a computer’s
security configuration before you allow it to access
network resources? In addition, how do you determine
whether to grant full or limited access? Network
administrators need a mechanism to ensure
that any computer connecting to the corporate network
meets the organization’s health policy requirements
and has all the necessary software, patches,
and hotfixes installed.
Network Access Protection
Windows Server 2003 SP1 includes a technology
called Network Access Quarantine (NAQ) that helps
administrators limit or deny connections to computers
that don’t comply with a company’s security policies.
However, NAQ has many disadvantages. First, it’s
limited to VPN-based connections only, which means
you can’t protect your network from unsecured wireless
users, or even from users who have a physical connection
to the network (e.g., via employees’ personal
laptops). Second, NAQ is based on manually created
scripts (implemented via Connection Manager) that
must be run on the client side before VPN access is
granted. These scripts check such things as the firewall
state, antivirus state, presence of a password-protected
screen saver, and status of Internet Connection
Sharing. Besides the fact that writing the scripts can
be difficult and time consuming, the various types of
protection software on the client side can also cause
problems. For example, if VPN clients have various
antivirus programs, you must write a specific script
for each program and use a different Connection
Manager package for each. In the end, this solution
is static. After the client passes all the checks and the
main script reports the state of the client’s health to the
server, the user can safely disable the firewall, antivirus
software, and all other security features. These actions
won’t be detected, and the level of access to resources
will remain unchanged.
Windows Server 2008 solves most of NAQ’s disadvantages
with Network Access Protection (NAP)
technology. Using NAP, an administrator can enforce
specific compliance policies that must be met before a
client computer can access network resources. If a client
computer doesn’t meet the defined health requirements,
it’s either placed in quarantine (with access limited to specific hosts) or simply not allowed access.
In addition, NAP can automatically remediate
unhealthy clients, updating systems when possible
to make them comply with corporate policy. The
administrator configures NAP’s method of enforcement,
depending on the type of client connection.
NAP enforces health requirements for the following
types of connections:
- IPsec-protected communications
- IEEE 802.1x-authenticated connections
- VPN connections
- DHCP-managed connections
- Terminal Services Gateway connections
In this article, I focus on NAP implementation for
DHCP-managed connections. Using NAP with DHCP
lets you protect your network from all potentially unsecured
clients that are managed via DHCP (i.e., clients
that receive IP addresses from DHCP), including resident
desktop computers that are NAP capable.
NAP-capable OSs include Windows Vista (by
default) and Windows XP SP2 with NAP client software
(currently in Beta 3). XP SP3 will include the NAP
client by default. No older OSs are supported, because
NAP relies on information from Windows Security
Center (WSC), which exists only in Vista and XP SP2.
A benefit of NAP is that it’s not limited to Microsoft
technologies. Any system that can provide the NAP
server with its health state can also use NAP. Microsoft
is working with many hardware and software
vendors and other partner companies to help them
create NAP-compatible devices and software. To use
NAP for DHCP-managed connections, you must
prepare the environment, configure health policies,
create network policies for NAP, configure DHCP for
NAP, and enforce NAP on the client side.
Prepare the Environment
First, you must have an existing Active Directory (AD)
infrastructure available, with one or more Windows
2003-based (or Server 2008-based) DCs. DHCP must
be installed on a Server 2008 machine, because previous
versions of the DHCP service (such as the version
on Windows 2003) aren’t aware of NAP. You need at
least one static IP address for this host.
Install Server 2008 as a member server in your
domain. After installation, you must add the Server
2008 roles called Network
Policy Server and
DHCP Server. You can easily
accomplish this task
through the Server Manager
console, which is available
on the Welcome page or
under Administrative Tools.
Open Server Manager, go to
Roles Summary, and click
Add Roles. Server 2008’s
Network Policy Server role
replaces Windows 2003’s
Internet Authentication Service
(IAS). Thus, Network
Policy Server (NPS) lets you
create various types of policies,
not just those related to
NAP.
Configure
Health Policies
To configure your health
policies, go to Administrative
Tools and click the Network
Policy Server role you
added. In the NPS console
that opens, you must configure
the System Health
Validator and Health Policy
options to create an appropriate
network policy. The
System Health Validator
component defines your
security requirements for
clients that are accessing
the network, whereas
Health Policy defines different
configurations for NAPcapable
clients.
Double-click the Network Access Protection node
on the left side of the console, and click System Health
Validator. The Windows Security Health Validator
item will appear on the right side of the console. Double-
click this item to open the configuration window
that Figure 1 shows. In this window, click Configure
to see options for security requirements. As Figure 2 shows, you can simply select the appropriate
check boxes to indicate what you require from
clients. In Vista, you can require the firewall to
be enabled, antivirus and antispyware applications
to be present and current, the automatic
update feature to be enabled, and current
hotfixes to be installed. Similar requirements
are available in XP SP2, other than the antispyware
option, which isn’t part of XP. For testing
purposes, let’s select only the firewall check
box for both Vista and XP. Click OK twice to
finish configuring the System Health Validator
option.
Previous
Register
