Join Lisa Bock for an in-depth discussion in this video Network Access Protection (NAP), part of IT Security Foundations: Network Security.
- We are only as strong as our weakest link. A network device without appropriate protection, such as updated patches and an active firewall, can post a significant risk to the corporate network. Windows Server 2008 utilizes network access protection, which checks the status of a client's Windows updates. Access to the network is based on the device's health. A health registration authority is responsible for validating and requesting a health certificate for compliant clients.
It forwards a certificate request to the certifying authority on behalf of the client. If a device is found to be non-compliant, according to the policy created, it may have restricted access or even be blocked from joining the network. Network access protection is a framework that uses a Network Policy Server. The Network Policy Server stores the health policies and checks the health and status of computers. To deploy network access protection, you must have a network access protection health policy server, which is a computer running Server 2008 with a Network Policy Server role installed and configured to evaluate the health of network access protection client computers.
Using RADIUS, or Remote Authentication Dial-In User Service, will enable remote devices, such as wireless access points, virtual private network, and dial-up servers to communicate with RADIUS servers, such as Network Policy Servers and check unmanaged VPN and other external clients. A policy enforcement point serves as a gatekeeper to the digital resources. Three policies are supported. Connection requests.
This determines whether requests from RADIUS clients are handled by the Network Policy Server or by another RADIUS server. Network policies on whether the connection is authorized or rejected. For example, we might create a policy "compliant, full access," and then grant full access. Or "compliant, limited access," and then grant limited access. And health policies defines the conditions that must be met in order to connect.
Auto-remediation may be selected to remediate clients who do not meet health requirements defined in the policy. We're going to go behind the scenes. Keep in mind, network access protection is implemented on the server. So I'm in Server 2008, and as an administrator, I would add this role. Now, what I'm going to do is I'll go to Start, Administrative Tools, and Server Manager. I'm in Server Manager, and in the upper left-hand corner, I'm going to add a role.
I'm going to add Network Policy and Access Services. Alright. The role has been installed. Now I will have to configure it by going into Administrative Tools and Network Policy Server. I'm going to go into Start, Administrative Tools, and Network Policy Server.
Once in, I can see the different policies. As we said, there are three: connection request policies, network policies, and health policies. I'll drop down the Network Access Protection, and the System Health Validators. And I'm gonna right-click and look at properties. Here I can configure the System Health Validators. As you can see here, as an administrator, I can enforce that the health of that client is going to include all of the following.
A firewall is enabled for all network connections. It includes antivirus, spyware protection, and automatic updating. Now let's step through to see what happens when a device logs into a network access protection enforcement device. Here we see a VPN client, and then it will try to go through and access the network. When a device logs in to the network access protection enforcement device, such as a VPN, DHCP server, or other device, the device reports the endpoint's health to a Network Policy Server, and the server then determines the status according to the policy set by the administrator.
After passing the requirements, the client is allowed to join the network. If it does not comply, it is either blocked or quarantined until health requirements are met. A new health-check request is then made. If you are a home user, you have a valuable resource for education and update information on security-related issues for Windows operating systems. I'm gonna suggest you use Internet Explorer, and I'm at this webpage where we can see the Microsoft Security Response Center. I'm gonna scroll down and here we can see the Microsoft Security Response Center which gives us a lot of information about how to protect your software and help improve security.
I'm going to click on Microsoft Safety and Security Center. And here we can see a lot of education about different techniques and tools we can use to improve security, such as get password guidance, protect my information, avoid scams and hoaxes, and help kids stay safer online.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Implementing secure content management (SCM)
- Implementing unified threat management (UTM)
- Introducing VLANs
- NAT addressing
- Network sniffing
- Understanding common attack methods, such as password attacks
- Protecting clients with antivirus software
- Implementing physical security