Demonstrate DHCP NAP Enforcement

  Network Access Protection (NAP) is a new technology introduced in Windows Vista™ and Windows Server® 2008. NAP includes client components and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are deemed noncompliant, and remediating noncompliant client computers for unrestricted network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP also provides ongoing health compliance enforcement while a compliant client computer is connected to a network.

In addition, NAP provides an application programming interface (API) set that allows non-Microsoft software vendors to integrate their solutions into the NAP framework.

NAP enforcement occurs at the moment when client computers attempt to access the network through network access servers, such as a VPN server running Routing and Remote Access Service, or when clients attempt to communicate with other network resources. The way that NAP is enforced depends on the enforcement method you choose.

NAP enforces health requirements for the following:

·      Internet Protocol security (IPsec)-protected communications

·      Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated connections

·      Virtual private network (VPN) connections

·      Dynamic Host Configuration Protocol (DHCP) configuration

The step-by-step instructions in this paper will show you how to deploy a NAP DHCP enforcement test lab so that you can better understand how DHCP enforcement works.

In this guide

This paper contains an introduction to NAP and instructions for setting up a test lab and deploying NAP with the DHCP enforcement method using two server computers and one client computer. The test lab lets you create and enforce client health requirements using NAP and DHCP.

Note

The following instructions are for configuring a test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.

Scenario overview

In this test lab, NAP enforcement for DHCP network access control is deployed with a server running Windows Server 2008 that has DHCP and the Network Policy Server (NPS) service installed, and a client computer running Windows Vista with the NAP agent service running and DHCP enforcement client component enabled. A computer running Microsoft Windows Server® 2003 is also used in the test lab as a domain controller and DNS server. The test lab will demonstrate how NAP-capable client computers are provided network access based on their compliance with network health requirements.

NAP enforcement processes

Several processes are required for NAP to function properly: policy validation, NAP enforcement and network restriction, remediation, and ongoing monitoring to ensure compliance.

Policy validation

System health validators (SHVs) are used by NPS to analyze the health status of client computers. SHVs are incorporated into network polices that determine actions to be taken based on client health status, such as the granting of full network access or the restricting of network access. Health status is monitored by client-side NAP components called system health agents (SHAs). NAP uses SHAs and SHVs to monitor, enforce, and remediate client computer configurations.

Windows Security Health Agent and Windows Security Health Validator are included with the Windows Server "Longhorn" and Windows Vista operating systems, and enforce the following settings for NAP-capable computers:

·      The client computer has firewall software installed and enabled.

·      The client computer has antivirus software installed and running.

·      The client computer has current antivirus updates installed.

·      The client computer has antispyware software installed and running.

·      The client computer has current antispyware updates installed.

·      Microsoft Update Services is enabled on the client computer.

In addition, if NAP-capable client computers are running Windows Update Agent and are registered with a Windows Server Update Services (WSUS) server, NAP can verify that the most recent software security updates are installed based on one of four possible values that match security severity ratings from the Microsoft Security Response Center (MSRC).

This test lab will use the Windows Security Health Agent and Windows Security Health Validator to require that client computers have turned on Windows Firewall, and have an antivirus application installed.

NAP enforcement and network restriction

NAP enforcement settings allow you to limit network access of noncompliant clients to a restricted network, to defer restriction to a later date, or to merely observe and log the health status of NAP-capable client computers. The following settings are available:

·      Allow full network access. This is the default setting. Clients that match the policy conditions are deemed compliant with network health requirements, and are granted unrestricted access to the network if the connection request is authenticated and authorized. The health compliance status of NAP-capable client computers is logged.

·      Allow limited access. Client computers that match the policy conditions are deemed noncompliant with network health requirements, and are placed on the restricted network.

·      Allow full network access for a limited time. Clients that match the policy conditions are temporarily granted full network access. NAP enforcement is delayed until the specified date and time.

You will create two network policies in this test lab. A compliant policy will grant full network access to an intranet network segment. A noncompliant policy will demonstrate network restriction by issuing a TCP/IP configuration to the client computer that places it on a restricted network.

Remediation

Noncompliant client computers that are placed on a restricted network might undergo remediation. Remediation is the process of updating a client computer so that it meets current health requirements. If additional resources are required for a noncompliant computer to update its health state, these resources must be provided on the restricted network. For example, a restricted network might contain a File Transfer Protocol (FTP) server that provides current virus signatures so that noncompliant client computers can update their outdated signatures.

You can use NAP settings in NPS network policies to configure automatic remediation so that NAP client components automatically attempt to update the client computer when it is noncompliant.

This test lab includes a demonstration of automatic remediation. The Enable auto-remediation of client computers setting will be enabled in the noncompliant network policy, which will cause Windows Firewall to be turned on without user intervention.

Ongoing monitoring to ensure compliance

NAP can enforce health compliance on compliant client computers that are already connected to the network. This functionality is useful for ensuring that a network is protected on an ongoing basis as health policies and the health of client computers change. Client computers are monitored when their health state changes, and when they initiate requests for network resources. This test lab includes a demonstration of ongoing monitoring when the client's DHCP-issued address is renewed. The NAP client computer sends a statement of health (SoH) with the DHCP address request, and is granted full or restricted access based on its current health state.

DHCP NAP enforcement overview

The test environment described in this guide includes a domain controller running Windows Server 2003, a member server running Windows Server 2008, and a client computer running Windows Vista. The domain controller, member server, and the client computer compose a private intranet and are connected through a common hub or Layer 2 switch. Private addresses are used throughout the test lab configuration. The private network ID 192.168.0.0/24 is used for the intranet. The domain controller is named DC1 and is the primary domain controller for the domain named Contoso.com. The member server is named NPS1 and is configured as a DHCP server and a network policy server. The client is named CLIENT1 and is configured for automatic addressing through DHCP. The following figure shows the configuration of the test environment.

Hardware and software requirements

The following are required components of the test lab:

·      The product discs for Windows Server 2008 Beta 3 and Windows Vista.

·      The product disc for Windows Server 2003 with Service Pack 1 (SP1).

·      One computer that meets the minimum hardware requirements for Windows Server 2003 with SP1.

·      One computer that meets the minimum hardware requirements for Windows Server 2008.

·      One computer that meets the minimum hardware requirements for Windows Vista.

·      An Ethernet hub or layer 2 switch.

Steps for configuring the test lab

There are three overall stages required to set up this test lab, one stage for each computer.

1.   Configure DC1.

DC1 is a server computer running Windows Server 2003, Standard Edition. DC1 is configured as a domain controller with the Active Directory® directory service and the primary DNS server for the intranet subnet.

2.   Configure NPS1.

NPS1 is a server computer running Windows Server 2008. NPS1 is configured with the Network Policy Server (NPS) service, which functions as a NAP health policy server and a Remote Authentication Dial-in User Service (RADIUS) server. NPS1 will also be configured with the DHCP service and function as a NAP enforcement server.

3.   Configure CLIENT1.

CLIENT1 is a client computer running the Windows Vista operating system. CLIENT1 will be configured as a DHCP client and a NAP client.

Note

You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.

Configure DC1

DC1 is a computer running Windows Server 2003 with SP1, Standard Edition, which provides the following services:

·      A domain controller for the Contoso.com Active Directory domain.

·      A DNS server for the Contoso.com DNS domain.

DC1 configuration consists of the following steps:

·      Install the operating system.

·      Configure TCP/IP.

·      Install Active Directory and DNS.

·      Create a user account and group in Active Directory.

The following sections explain these steps in detail.

Install the operating system on DC1

Install Windows Server 2003 with SP1, Standard Edition, as a stand-alone server.

To install the operating system on DC1

1.   Start your computer using the Windows Server 2003 product disk. 2.   When prompted for a computer name, type DC1.

Configure TCP/IP on DC1

Configure the TCP/IP protocol with a static IP address of 192.168.0.1 and the subnet mask of 255.255.255.0.

To configure TCP/IP on DC1

1.   Click Start, click Control Panel, and then double-click Network Connections. 2.   Right-click Local Area Connection, and then click Properties. 3.   Click Internet Protocol (TCP/IP), and then click Properties. 4.   Select Use the following IP address. Type 192.168.0.1 next to IP address and 255.255.255.0 next to Subnet mask. 5.   Verify that Preferred DNS server is blank. 6.   Click OK, click Close, and then close the Network Connections window.

Configure DC1 as a domain controller and DNS server

DC1 will serve as the only domain controller and DNS server for the Contoso.com domain.

To configure DC1 as a domain controller and DNS server

1.   To start the Active Directory Installation Wizard, click Start, click Run, type dcpromo, and then press ENTER. 2.   In the Active Directory Installation Wizard dialog box, click Next. 3.   Operating system compatibility information is displayed. Click Next again. 4.   Verify that Domain controller for a new domain is selected, and then click Next. 5.   Verify that Domain in a new forest is selected, and then click Next twice. 6.   On the Install or Configure DNS page, select No, just install and configure DNS on this computer, and then click Next. 7.   Type Contoso.com next to Full DNS name for new domain, and then click Next. 8.   Confirm that the Domain NetBIOS name shown is CONTOSO, and then click Next. 9.   Accept the default Database Folder and Log Folder directories, and then click Next. 10.  Accept the default folder location for Shared System Volume, and then click Next. 11.  Verify that Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems is selected, and then click Next. 12.  Leave the Restore Mode Password and Confirm Password text boxes blank, and then click Next. 13.  Review the summary information provided, and then click Next. 14.  Wait while the wizard completes configuration of Active Directory and DNS services, and then click Finish. 15.  When prompted to restart the computer, click Restart Now. 16.  Following reboot, log in to the CONTOSO domain using the Administrator account.

Create a user account in Active Directory

Next, create a user account in Active Directory. This account will be used when logging in to NPS1 and CLIENT1.

To create a user account in Active Directory

1.   Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 2.   In the console tree, double-click Contoso.com, right-click Users, point to New, and then click User. 3.   In the New Object - User dialog box, next to Full name, type User1 User, and in User logon name, type User1. 4.   Click Next. 5.   In Password, type the password that you want to use for this account, and in Confirm password, type the password again. 6.   Clear the User must change password at next logon check box, and select the Password never expires check box. 7.   Click Next, and then click Finish.

Add user1 to the Domain Admins group

Next, add the newly created user to the Domain Admins group so this user can be used for all configuration activities.

To add a user to the Domain Admins group

1.   In the Active Directory Users and Computers console tree, click Users. 2.   In the details pane, double-click Domain Admins. 3.   In the Domain Admins Properties dialog box, click the Members tab, and then click Add. 4.   Under Enter the object names to select (examples), type User1, the user name that you created in the preceding procedure, and then click OK twice. 5.   Close the Active Directory Users and Computers window.

Configure NPS1

For the test lab, NPS1 will be running Windows Server 2008 Beta3, and will host the NPS service, which provides RADIUS authentication, authorization, and accounting. NPS1 configuration consists of the following steps:

·      Install the operating system.

·      Configure TCP/IP.

·      Join the computer to the domain.

·      Install the NPS and DHCP server roles.

·      Configure NPS.

·      Configure DHCP.

Install Windows Server "Longhorn" Beta3

To install Windows Server “Longhorn” Beta 3

1.   Start your computer using the Windows Server 2008 Beta 3 product CD. 2.   When prompted for the installation type, choose Custom. 3.   Follow the instructions that appear on your screen to finish the installation.

Configure TCP/IP properties on NPS1

To configure TCP/IP properties on NPS1

1.   Click Start, right-click Network, click Properties, and then click Manage Network Connections. 2.   In the Network Connections dialog box, right-click Local Area Connection, and then click Properties. 3.   In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 6 (TCP/IPv6) check box. This step will reduce the complexity of the lab, particularly for those who are not familiar with IPv6. 4.   In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 5.   Select Use the following IP address. In IP address, type 192.168.0.2. In Subnet mask, type 255.255.255.0. 6.   Select Use the following DNS server addresses. In Preferred DNS server, type 192.168.0.1. 7.   Click OK, and then click Close to close the Local Area Connection Properties dialog box. 8.   Close the Network Connections window. 9.   Do not close the Server Manager window. It will be used in the next procedure. 10.  Next, check network communication between NPS1 and DC1 by running the ping command from NPS1. 11.  Click Start, click Run, type ping DC1, and then press ENTER. 12.  Verify that the response reads “Reply from 192.168.0.1".

Join NPS1 to the contoso.com domain

To join NPS1 to the contoso.com domain

1.   In Server Manager, under Server Summary, click Change System Properties. 2.   In the System Properties dialog box, on the Computer Name tab, click Change. 3.   In the Computer Name/Domain Changes dialog box, under Computer name, type NPS1. 4.   In the Computer Name/Domain Changes dialog box, under Member of, choose Domain, and then under Domain, type Contoso.com. 5.   Click More. Under Primary DNS suffix of this computer, type Contoso.com, and then click OK twice. 6.   When prompted for a user name and password, type User1 and password for the user account that you added to the Domain Admins group, and then click OK. 7.   When you see a dialog box welcoming you to the Contoso.com domain, click OK. 8.   When you are prompted that you must restart the computer, click OK. 9.   On the System Properties dialog box, click Close. 10.  When you are prompted to restart the computer, click Restart Now. 11.  After the computer has been restarted, click Switch User, then click Other User and log on to the CONTOSO domain with the User1 account you created.

User Account Control

When configuring the Windows Vista or Windows Server 2008 operating systems, you are required to click Continue in the User Account Control (UAC) dialog box for some tasks. Several of the configuration tasks to follow require UAC approval. When prompted, always click Continue to authorize these changes. Alternatively, see the Appendix of this guide for instructions on how to set UAC behavior of the elevation prompt for administrators.

Install the NPS and DHCP server roles

Next, install the NPS and DHCP server roles on NPS1.

To install the NPS and DHCP server roles

1.   Click Start, and then click Server Manager. 2.   Under Roles Summary, click Add roles, and then click Next. 3.   On the Select Server Roles page, select the DHCP Server and Network Policy and Access Services check boxes, and then click Next twice. 4.   On the Select Role Services page, select the Network Policy Server check box, and then click Next twice. 5.   On the Select Network Connection Bindings page, verify that 192.168.0.2 is selected, and then click Next. 6.   On the Specify DNS Server Settings page, verify that contoso.com is listed under Parent domain. 7.   Type 192.168.0.1 under Preferred DNS server IP address, and click Validate. Verify that the result returned is Valid, and then click Next. 8.   On the Specify WINS Server Settings page, accept the default setting of WINS is not required on this network, and then click Next. 9.   On the Add or Edit DHCP Scopes page, click Add. 10.  In the Add Scope dialog box, type NAP Scope next to Scope Name. Next to Starting IP Address, type 192.168.0.3, next to Ending IP Address type 192.168.0.10, and next to Subnet Mask type 255.255.255.0. 11.  Select the Activate this scope check box, click OK, and then click Next. 12.  On the Select IPv6 DHCP Server Operation Mode page, select No. Do not configure this server for DHCPv6 stateless operation now, and then click Next. 13.  On the Authorize DHCP Server page, select Use current credentials. Verify that CONTOSO\user1 is displayed next to Username, and then click Next. 14.  On the Confirm Installation Selections page, click Install. 15.  Verify the installation was successful, and then click Close. 16.  Close the Server Manager window.

Configure NPS1 as a NAP health policy server

To serve as a NAP health policy server, NPS1 must validate the system health of clients against the configured network health requirements. For this test lab, configuration of NPS as a NAP health policy server consists of the following three steps:

·      Configure SHVs.

·      Configure remediation server groups.

·      Configure health policies.

·      Configure network policies.

All configuration steps are performed using the NPS management console.

Open the NPS management console

To open the NPS management console

1.   Click Start, click Run, type nps.msc, and then press ENTER. 2.   Leave this window open for the following NPS configuration tasks.

Configure SHVs

SHVs define configuration requirements for computers that attempt to connect to your network. For the test lab, Windows Security Health Validator will be configured to require only that Windows Firewall is enabled.

To configure SHVs

1.   Double-click Network Access Protection, and then click System Health Validators. 2.   In the middle pane under Name, double-click Windows Security Health Validator. 3.   In the Windows Security Health Validator Properties dialog box, click Configure. 4.   Clear all check boxes except A firewall is enabled for all network connections. You do not have to clear the Windows Update check box. See the following example. 5.   Click OK to close the Windows Security Health Validator dialog box, and then click OK to close the Windows Security Health Validator Properties dialog box.

Configure remediation server groups

Remediation server groups are lists of computers that noncompliant NAP clients can access to help them update their configuration. For the test lab, DC1 will be added to a remediation server group so that CLIENT1 will have access to DNS when it is noncompliant.

To configure a remediation server group

1.   In the console tree, under Network Access Protection, right-click Remediation Server Groups, and then click New. 2.   Under Group Name, type Rem1. 3.   Next to Remediation Servers, click Add. 4.   In the Add New Server dialog box, under IP address or DNS name, type 192.168.0.1, and then click OK twice.

Configure health policies

Health policies define which SHVs are evaluated, and how they are used in validating the configuration of computers that attempt to connect to your network. Based on the results of SHV checks, health policies classify client health status. This test lab defines two health policies: one that corresponds to a compliant health state and one that corresponds to a noncompliant health state.

To configure health policies

1.   Double-click Polices. 2.   Right-click Health Policies, and then click New. 3.   In the Create New Health Policy dialog box, under Policy Name, type Compliant. 4.   Under Client SHV checks, verify that Client passes all SHV checks is selected. 5.   Under SHVs used in this health policy, select the Windows Security Health Validator check box, as shown in the following example. 6.   Click OK. 7.   Right-click Health Policies, and then click New. 8.   In the Create New Health Policy dialog box, under Policy Name, type Noncompliant. 9.   Under Client SHV checks, select Client fails one or more SHV checks. 10.  Under SHVs used in this health policy, select the Windows Security Health Validator check box, as shown in the following example. 11.  Click OK.

Configure network policies

Network policies use conditions, settings, and constraints to determine who can connect to the network. There must be a network policy that will be applied to computers that are compliant with health requirements, and a network policy that will be applied to computers that are noncompliant. For this test lab, compliant client computers will be allowed unrestricted network access. Clients determined to be noncompliant with health requirements will be have their access restricted. Noncompliant clients will also be optionally updated to a compliant state and subsequently granted unrestricted network access.

Configure a network policy for compliant client computers

First, create a network policy to match network access requests made by compliant client computers.

To configure a network policy for compliant client computers

1.   In the console tree, under Policies, click Network Policies. 2.   Disable the two default policies under Policy Name by right-clicking the policies, and then clicking Disable for each. 3.   Right-click Network Policies, and then click New. 4.   In the Specify Network Policy Name and Connection Type window, under Policy name, type Compliant-Full-Access, and then click Next. See the following example. 5.   In the Specify Conditions window, click Add. 6.   In the Select condition dialog box, double-click Health Polices. 7.   In the Health Policies dialog box, under Health policies, select Compliant, and then click OK. See the following example. 8.   In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Compliant, and then click Next. 9.   In the Specify Access Permission window, verify that Access granted is selected, and then click Next. 10.  In the Configure Authentication Methods window, select Perform machine health check only. Clear all other check boxes, and then click Next. 11.  Click No in the pop-up window warning you about authentication methods. 12.  In the Configure Constraints window, click Next. 13.  In the Configure Settings window, click NAP Enforcement. Verify that Allow full network access is selected, and then click Next. See the following example. 14.  In the Completing New Network Policy window, click Finish to complete configuration of your network policy for compliant client computers.

Configure a network policy for noncompliant client computers

Next, create a network policy to match network access requests made by noncompliant client computers.

To configure a network policy for noncompliant client computers

1.   Right-click Network Policies, and then click New. 2.   In the Specify Network Policy Name and Connection Type window, under Policy name, type Noncompliant-Restricted, and then click Next. See the following example. 3.   In the Specify Conditions window, click Add. 4.   In the Select condition dialog box, double-click Health Polices. 5.   In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK. See the following example. 6.   In the Specify Conditions window, verify that Health Policy is specified under Conditions with a value of Noncompliant, and then click Next. 7.   In the Specify Access Permission window, verify that Access granted is selected, and then click Next. Important A setting of Access granted does not mean that noncompliant clients are granted full network access. It specifies that clients matching these conditions will be granted an access level determined by the policy. 8.   In the Configure Authentication Methods window, select Perform machine health check only. Clear all other check boxes, and then click Next. 9.   Click No in the pop-up window warning you about authentication methods. 10.  In the Configure Constraints window, click Next. 11.  In the Configure Settings window, click NAP Enforcement. Select Allow limited access and verify that Enable auto-remediation of client computers is selected. See the following example. 12.  Click Next, and then click Finish. This completes configuration of your NAP network policies.

Configure DHCP on NPS1

NPS1 is the member server that will provide DHCP addressing. The DHCP service was partially configured during installation with Server Manager. We will configure scope options further for NAP.

Open the DHCP console

To open the DHCP console

1.   Click Start, click Run, type dhcpmgmt.msc, and then press ENTER. 2.   Leave this window open for all DHCP configuration tasks.

Verify the default NAP profile

First, verify that the default NAP profile is being used on the DHCP server.

To verify the default NAP profile is being used

1.   In the DHCP console, double-click nps1.contoso.com, and then double-click IPv4. 2.   Right-click Scope, and then click Properties. 3.   On the Network Access Protection tab, verify that Use default Network Access Protection profile is selected, and then click OK.

Configure the default user class

Next, configure scope options for the default user class. These server options are used when a compliant client computer attempts to access the network and obtain an IP address from the DHCP server.

To configure default user class scope options

1.   In the DHCP console, double-click Scope, right-click Scope Options, and then click Configure Options. 2.   On the Advanced tab, verify that Default User Class is chosen next to User class. 3.   Under Available Options, select the 003 Router check box, type 192.168.0.1 in IP Address, and click Add. 4.   Select the 006 DNS Servers check box, type 192.168.0.1 in IP Address, and click Add. 5.   Select the 015 DNS Domain Name check box, type contoso.com in String value, and then click OK. The contoso.com domain is a full-access network assigned to compliant NAP clients.

Configure the default NAP class

Next, configure scope options for the default network access protection class. These server options are used when a noncompliant client computer attempts to access the network and obtain an IP address from the DHCP server.

To configure default NAP class scope options

1.   In the DHCP console, right-click Scope Options, and then click Configure Options. 2.   On the Advanced tab, next to User class, choose Default Network Access Protection Class. 3.   Select the 006 DNS Servers check box, type 192.168.0.1 in IP Address, and click Add. 4.   Select the 015 DNS Domain Name check box, type restricted.contoso.com in String value, and then click OK. The restricted.contoso.com domain is a restricted-access network assigned to noncompliant NAP clients.

Configure CLIENT1

CLIENT1 is a computer running Windows Vista that you will use to demonstrate how NAP can be used with DHCP to help protect a network from noncompliant client computers. CLIENT1 configuration is performed in the following steps:

·      Install the operating system.

·      Configure TCP/IP.

·      Enable Security Center in Group Policy.

·      Enable the DHCP enforcement client.

·      Enable the NAP agent service.

·      Join CLIENT1 to the Contoso.com domain.

The following sections explain these steps in detail.

Install the operating system on CLIENT1

To install the operating system on CLIENT1

1.   Start your computer using the product discs for Windows Vista. 2.   When prompted for the installation type, choose Custom Installation. 3.   When prompted for a computer name, type CLIENT1. 4.   On the Select your computer's current location page, click Work. 5.   Follow the rest of the instructions that appear on your screen to finish the installation.

Configure TCP/IP on CLIENT1

To configure TCP/IP on CLIENT1

1.   Click Start, and then click Control Panel. 2.   Click Network and Internet, click Network and Sharing Center, and then click Manage network connections. 3.   Right-click Local Area Connection, and then click Properties. 4.   In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 6 (TCP/IPv6) check box. This reduces the complexity of the lab, particularly for those who are not familiar with IPv6. 5.   Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 6.   Verify that Obtain an IP address automatically and Obtain DNS server address automatically are selected. 7.   Click OK, and then click Close to close the Local Area Connection Properties dialog box. 8.   Close the Network Connections and Network and Sharing Center windows.

Enable Security Center in Group Policy

On clients running Windows Vista, Security Center is disabled by default when the computer is joined to a domain. Security Center must be configured so that it is turned on when the client is a domain member so that it can monitor status for Windows Security Health Agent. To accomplish this, Security Center will be enabled through local Group Policy.

To configure CLIENT1 so that Security Center is always enabled

1.   Click Start, point to All Programs, click Accessories, and then click Run. 2.   Type mmc, and then press ENTER. 3.   On the File menu, click Add/Remove Snap-in. 4.   In the Add or Remove Snap-ins dialog box, under Available snap-ins, click Local Group Policy Object Editor, and then click Add. 5.   In the Select Group Policy Object dialog box, click Finish, and then click OK. 6.   In the console tree, open Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Security Center. 7.   Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK. 8.   Close the console window. When prompted to save settings, click No.

Enable the DHCP enforcement client

The NAP DHCP enforcement method requires that the DHCP enforcement client is enabled on NAP client computers.

To enable the DHCP enforcement client

1.   Click Start, click All Programs, click Accessories, and then click Run. 2.   Type napclcfg.msc, and then press ENTER. 3.   In the console tree, click Enforcement Clients. 4.   In the details pane, right-click DHCP Quarantine Enforcement Client, and then click Enable. 5.   Close the NAP Client Configuration console.

Enable and start the NAP agent service

By default, the Network Access Protection Agent service on computers running Windows Vista is configured with a startup type of Manual. CLIENT1 must be configured so that the Network Access Protection Agent service starts automatically, and the service must be started.

To enable and start the NAP agent service

1.   Click Start, click Control Panel, click System and Maintenance, and then click Administrative Tools. 2.   Double-click Services. 3.   In the services list, double-click Network Access Protection Agent. 4.   In the Network Access Protection Agent Properties dialog box, change the Startup type to Automatic, and then click Start. 5.   Wait for the NAP agent service to start, and then click OK. 6.   Close the Services console, Administrative Tools, and System and Maintenance windows.

Verify network connectivity for CLIENT1

Run the ping command from CLIENT1 to confirm network communication between CLIENT1 and DC1. Because the Network Access Protection Agent service and DHCP enforcement client are running, CLIENT1 is considered NAP-capable by the DHCP server and is issued an IP address on the 192.168.0.0/24 subnet. This is required to join CLIENT1 to the Contoso.com domain.

To use the ping command to check network connectivity

1.   Click Start, click All Programs, click Accessories, and then click Command Prompt. 2.   In the command window, type ping DC1. 3.   Verify that the response reads “Reply from 192.168.0.1". 4.   Close the command window.

Join CLIENT1 to the Contoso.com domain

To join CLIENT1 to the Contoso.com domain

1.   Click Start, right-click Computer, and then click Properties. 2.   Under Computer name, domain, and workgroup settings, click Change settings. 3.   In the System Properties dialog box, click Change. 4.   In the Computer Name/Domain Changes dialog box, select Domain, and then type Contoso.com. 5.   Click More, and in Primary DNS suffix of this computer, type Contoso.com. 6.   Click OK twice. 7.   When prompted for a user name and password, type the user name and password for the User1 account, and then click OK. 8.   When you see a dialog box welcoming you to the Contoso.com domain, click OK. 9.   When you see a dialog box telling you to restart the computer, click OK. 10.  In the System Properties dialog box, click Close. 11.  Click Restart Now to restart the computer. 12.  After the computer is restarted, click Switch User, and then click Other User and log on to the CONTOSO domain with the User1 account you created.

Verifying NAP functionality

The following procedures are used to verify that the NAP infrastructure is functioning correctly:

·      Verification of NAP auto-remediation. CLIENT1 is automatically remediated when Windows Firewall is turned off, causing Windows Firewall to be turned back on.

·      Verification of NAP policy enforcement. NAP policy is revised to be more restrictive, causing CLIENT1 to be noncompliant with policy and unable to remediate itself. When CLIENT1 is in a noncompliant state, its network access will be restricted.

Verification of NAP auto-remediation

The Noncompliant-Restricted authorization policy specifies that noncompliant computers should be automatically remediated. Use the following procedure to verify that CLIENT1 is automatically remediated to a compliant state when Windows Firewall is turned off.

To verify that CLIENT1 is auto-remediated when Windows Firewall is turned off

1.   On CLIENT1, click Start, and then click Control Panel. 2.   Click Security Center, and then click Windows Firewall. 3.   In the Windows Firewall dialog box, click Change settings. 4.   In the Windows Firewall Settings dialog box, click Off (not recommended), and then click OK. 5.   Watch Windows Security Center and you will see that Windows Firewall is displayed as off and is then displayed as on. 6.   You might see a message in the notification area that indicates the computer does not meet health requirements. This message is displayed because Windows Firewall has been turned off. Click this message for more information about the health status of CLIENT1. See the following example. 7.   The NAP client will automatically turn Windows Firewall on to become compliant with network health requirements. The following message will appear in the notification area: This computer meets the requirements of this network. See the following example. Because auto-remediation occurs rapidly, you might not see one or both of these messages.

Verification of health policy enforcement

Network health policy enforcement will be verified by configuring an additional requirement in network policy that is not met by CLIENT1, and demonstrating that CLIENT1 is subsequently placed on the restricted network.

Configure the Windows Security Health Validator to require an antivirus application

Configure NPS1 so that antivirus software is a requirement for system health. Because no antivirus program is installed on CLIENT1 and the NAP client components cannot remediate its health, CLIENT1 will be noncompliant.

To configure the system health validator policy to require antivirus software

1.   On NPS1, in the Network Policy Server console, open NPS (Local), then Network Access Protection, then System Health Validators. 2.   Under Name, double-click Windows Security Health Validator. 3.   In the Windows Security Health Validator Properties dialog box, click Configure. 4.   In the Windows Security Health Validator dialog box, under Virus Protection, select the An antivirus application is on check box. 5.   Click OK, and then click OK again to close the Windows Security Health Validator Properties window.

Release and renew the IP address on CLIENT1

To reevaluate the health state of CLIENT1 against the new network health requirements, you must release and then renew the IP address on CLIENT1. This change will cause the NAP client to validate its system health. Because an antivirus program is not installed, the health requirement for an antivirus program cannot be met. Therefore, CLIENT1 will remain in a noncompliant state and will obtain an IP address configuration for the restricted network.

To release and then renew the IP address on CLIENT1

1.   On CLIENT1, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. 2.   At the command prompt, type ipconfig /release. 3.   At the command prompt, type ipconfig /renew.

View the NAP client health state

Because the client computer is in a noncompliant state, the DHCP server will assign an IP address to the client computer for the restricted network. You can tell that the client is on the restricted network because the DHCP server does not assign an address for the default gateway and the connection-specific DNS suffix is restricted.contoso.com. The following figure shows an example.

You may see a message in the notification area indicating that the computer does not meet the corporate security requirements.

View the client's NAP state with Netsh

You can also check the Network Access Protection state of the computer using a NAP Netsh command.

To use a Netsh command to show the NAP client's health state

1.   On CLIENT1, at the command prompt, type netsh nap client show state. 2.   Scroll the command window up to display the Client state section. In the Client state section, the Restriction state should be "Restricted".

Allow CLIENT1 to be complaint

Next, configure NPS1 to remove the antivirus health requirement so that CLIENT1 can be compliant.

To configure NPS1 health requirements to allow CLIENT1 to be compliant

1.   Return to the Network Policy Server console on NPS1. 2.   Double-click Windows Security Health Validator. 3.   In the Windows Security Health Validator Properties dialog box, click Configure. 4.   In the Windows Security Health Validator dialog box, under Virus Protection, clear the An antivirus application is on check box. 5.   Click OK twice to complete configuration of the Windows SHV. 6.   On CLIENT1, type ipconfig /release, and then type ipconfig /renew at the elevated command prompt to obtain a new IP address configuration with unrestricted access. 7.   Verify that new IP address configuration includes a default gateway and is assigned the connection-specific DNS suffix of contoso.com.

Network Access Protection

Set UAC behavior of the elevation prompt for administrators

By default, User Account Control (UAC) is enabled in Windows Server 2008 and Windows Vista. This service will prompt for permission to continue during several of the configuration tasks described in this guide. In all cases, you can click Continue in the UAC dialog box to grant this permission, or you can use the following procedure to change the UAC behavior of the elevation prompt for administrators.

To set UAC behavior of the elevation prompt for administrators

1.   Click Start, point to All Programs, click Accessories, and then click Run. 2.   Type secpol.msc, and press ENTER. 3.   In the User Account Control dialog box, click Continue. 4.   In the left pane, double-click Local Policies, and then click Security Options. 5.   In the right pane, double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. 6.   From the drop-down list box, choose Elevate without prompting, and then click OK. 7.   Close the Local Security Policy window.

Review NAP client events

Reviewing information contained in NAP client events can assist you with troubleshooting. It can also help you to understand NAP client functionality.

To review NAP client events in Event Viewer

1.   Click Start, point to All Programs, click Accessories, and then click Run. 2.   Type eventvwr.msc, and press ENTER. 3.   In the left tree, navigate to Event Viewer(Local)\Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational. 4.   Click an event in the middle pane. 5.   By default, the General tab is displayed. Click the Details tab to view additional information. 6.   You can also right-click an event and then click Event Properties to open a new window for reviewing events.

Review NAP server events

Reviewing information contained in Windows System events on your NAP servers can assist you with troubleshooting. It can also help you to understand NAP server functionality.

To review NAP server events in Event Viewer

1.   Click Start and then click Run. 2.   Type eventvwr.msc, and press ENTER. 3.   In the left tree, navigate to Event Viewer(Local)\Windows Logs\System. 4.   Click an event in the middle pane. 5.   By default, the General tab is displayed. Click the Details tab to view additional information. 6.   You can also right-click an event and then click Event Properties to open a new window for reviewing events.