NPS Policy Application for Windows Server 2008

Most of the employees in the office are mobile workers. Because the virus database is not updated in time and the system patches are not installed, the mobile office equipment is in a dangerous state. When accessing the internal network, it is likely to threaten the entire network. How to defend the network to access this door?

The author is in a media company with hundreds of reporters. Each reporter is equipped with a laptop and an Internet device. Journalists often carry laptops on business trips and do not log in to the internal network for a long time. Anti-virus software and system patch updates are deployed in the network. When the reporter connects to the company network through VPN or other means, the connection time is very short, and the system patch and virus database cannot be downloaded immediately. Because the virus database is not updated in time, and the system patch is not installed, the laptop is in a "dangerous" state. Once the virus is infected and other viruses such as viruses or Trojans are brought to the internal network, it will have a great impact on the network.

Is there any way to automatically detect the security of the client computer when you log in to the network, and then allow you to log in to the network after complying with the security standards? That is NAP, network protection strategy.

Windows Server 2008 provides NAP (Network Access Protection). The network protection policy is that any client computer (client and VPN client) must pass the network health check, such as whether to install the latest Whether the security patch, the signature database of the anti-virus software is updated, whether the firewall is enabled, etc., is allowed to enter the internal network after meeting the security conditions. Computers that fail the system health check are quarantined to a restricted access network. In a restricted access network, repair the state of the computer (such as downloading a special system patch from the patch server, forcibly opening a firewall policy, etc.), and then accessing the company's internal network after reaching the network health standard.

Windows Server 2008 provides a variety of methods for network access protection. The easiest way is to use NPS (Network Policy Server) policy with DHCP service to complete network access protection. To deploy this policy, you need to configure the client computer: Enable the Enable Security Center (Domain PC Only) policy in Group Policy; enable the DHCP Quarantine Force Client policy. To enable the NAP proxy service, it is recommended to set it to "automatic" startup mode.

After installing Windows Server 2008 by default, the NPS (Network Access Policy) service is not installed and requires the network administrator to manually install the service.

Start Server Manager and run the Role Add Wizard. In the Select Roles dialog box, in the Roles list, select the Network Policy and Access Services option that you want to install. Others are installed by default. Just fine.

After the NPS service is installed, the DHCP service in the member server will be replaced by the new NPS-capable component. The network administrator needs to configure the DHCP options involved in the NPS. By default, the NPS-associated component "Network Access Protection" is not enabled, and the policy is enabled in the DHCP scope attribute.

NAP switches computers between restricted networks and unrestricted network access within the same scope by adding a User Class Scope category. This set of special scope options (DNS server, DNS domain name, router, etc.) is used when providing leases to poorly performing client computers. For example, the default DNS suffix provided to a good client is "book.com" and the DNS suffix provided to a bad client is "Testbook.com".

The NPS strategy consists of four parts: Network Health Validator, Update Server Group, Health Policy and Network Policy, which will verify and isolate the computers that are added to the company network. , remediation, and health strategy review.

Network Health Validator: Evaluate the computer's running status, what checks need to be performed, and set up a checklist to detect which computers connected to the network are secure and which are not secure, such as firewall shutdown, according to the set policy. It is considered unsafe, no anti-virus software is installed, it is not safe computer. Start the Network Policy Server component, open NPS (Local)→Network Access Protection→System Health Validator, and configure the status to be detected in the attribute list, as shown in Figure 1.

Update Server Group: Allows network administrators to set up systems that can be accessed by computers with poor health. By accessing the defined system, computers with poor status will be restored to normal. During the setup process, note that the IP address of the target server and DNS domain name resolution must be consistent. Start the "Network Policy Server" component, open "NPS" → "Network Access Protection" → "System Health Validator", create a new "Update Server Group", set the IP address and name of the virus database update server or patch update server.

The health policy is used to establish a standard for the health of client computers. It is recommended to create two policies, one for a secure computer policy and one for a non-secure computer. The computer that the network health verifier verifies is classified into a secure computer policy if it is secure, and if the network health verifier verifies that the computer is unsecure, it will be classified into an unsecured computer. Start the "Network Policy Server" component, open "NPS" → "Policy" → "Health Policy", create two new "health strategies", one is "pass all security verification" strategy, as shown in Figure 2; the other is " There is no safety and health check policy.

Network Policy: Defines the processing logic rules and determines how to handle them based on their computer health. Network health validators, update server groups, and health processing are grouped together through network policies. The network policy is defined by the administrator and is used to instruct the NPS how to handle the computer based on the running state of the computer. NPS evaluates these policies from top to bottom, and once the computer matches the policy rules, processing stops immediately.

Two policies have been created, namely "pass all security verification" policy and "no network security check" policy. Previous 12 Next Read the full story