Windows system >> Windows Server System Tutorial >> Server 2008

Windows Server 2008 NAP Tutorial

  
Among the features of Windows Server 2008, Network Access Protection (NAP), which can be used to assist enterprises to strengthen the security management of personal computers, is one of the most desirable projects, especially the network. Information security in these two areas. Simply put, in order to prevent computers that do not comply with corporate security policies, NAP can be restricted by approving connections. The status of these non-compliant policies includes: automatic update is not started, system patches are not fixed regularly, and anti-virus software is not installed. Or enable the personal firewall, anti-virus software signature /anti-virus engine exceeded the deadline and not updated. Integrating Policy Control and Identity Authentication, Authorization To start NAP, you must start with a new server role on Server Manager, which is called Network Policy and Access Services (NPAS). After completing a series of installation steps, the system tool in the "Start" assembly will add a shortcut ——Network Policy Server (NPS). When you execute the Network Policy Server console, three standard options appear immediately, allowing you to quickly apply settings. Pressing Configure NAP will launch the installation assistant to assist the administrator to complete the setup step by step. In fact, the predecessor of NPS is Internet Authentication Services (IAS) on Windows Server 2003, with centralized RADIUS authentication, authorization and recording mechanisms, continuing to cover wired, wireless and VPN networks, rather than creating a new server. Execution environment. Therefore, it can also forward authentication and statistics messages to other RADIUS servers for use as a RADUIS proxy server. All in all, NAP is a feature name, but for Windows Server 2008, this feature is provided primarily by the server role mentioned above. Including the policy server and the mandatory check server When we first installed NPAS, we can see that it includes NPS, Remote Access Service (RAS), Routing, and Health Registration Authority (HRA). HRA is quite special, mainly used in the architecture enforced by NAP IPsec policy. In the area of ​​IPsec-protected local area network, when the personal computer is judged to be in compliance with the network security policy, it will get a certificate representing health, if other If a personal computer connected to the same network is connected to it, the certificate will be verified simultaneously. If the policy is not checked, the health certificate cannot be obtained, and the IPsec endpoint authentication will fail. This computer cannot be used. Other computer communication. NPS can also be subdivided into four main components: RADIUS Clients and Servers: refers to other RADIUS personal devices, the server refers to other NPS servers, when the enterprise user sets the NPS server as a RADIUS proxy server, The authentication and authorization connection requirements are forwarded to other RADIUS servers. If the company's network environment uses multiple domains or multiple tree systems, it can be guided through this mechanism. Policy: Divided into three types of policy settings: connection requirements, network and health status. The connection requirements policy is used to handle the connection to a remote NPS server or other RADIUS server, making the NPS a gateway device that verifies compliance with RADIUS protocol authentication, such as 802.1x-enabled wireless APs and authentication switches, and routing and remote access services. (RRAS) becomes a server for a VPN or dial-up network, and a Terminal Services gateway. The local domain and the trusted domain can be configured with a preset policy. Network policies can be divided into more than six forms including unspecified, remote access servers, Ethernet networks, Terminal Services gateways, wireless APs, HRAs, HCAP servers, and DHCP servers. As for the health status strategy, in general, it can be set to "pass all checks" or "one of them fails", and you can also choose other five options, such as all failures, partial passes, judgments as infected malicious programs, Unable to determine, you can find the corresponding situation to apply the strategy. Network Access Protection: Only responsible for checking the settings of the Health Monitor (SHV) and Remediation Server (Remediation Server) of the controlled computer. The so-called remediation server, including the DNS server, the domain control station, the archive server where the anti-virus signature is placed, the software update server, etc., has the opportunity to correct the computers that cannot pass the health check. If you want to perform other work after the verification is completed, you must make a strategic decision. The SHV can define the health status of Windows XP and Vista, such as whether to enable Windows Firewall, automatic update, whether to install anti-virus software, anti-spyware (Windows XP SHV does not support this check), and whether the signatures of both are up to date. Status, and can be set to complete security updates within a few hours. If the company has previously set up Microsoft to provide Windows Server Update Services (WSUS) update server, you can also set it here to get updated information and files. With regard to anti-virus software support, Microsoft claims to be able to identify its own Forefront Client Secuirty, as well as Symantec, Trends, McAfee and other brand anti-virus software signatures, as anti-spyware programs currently only support Windows Defender. Accounting: Responsible for generating log files, which can be saved as IAS.log or log files that SQL Server can read and write. If the company itself has a strict auditing level, such as the financial industry, this information can be transferred to SQL Server. NPS is responsible for strategy and evaluation. In fact, how does NPS authenticate each controlled terminal? The user turns the computer on the Internet and intends to access the network. Therefore, the network device and the network policy server require the user to present a health certificate, such as the system automatically updating the status. Whether the firewall, anti-virus software is enabled, etc., if the system status declared by the System Health Agent (SHA) in the personal computer passes the SHV check and the NAP policy, these devices and systems will pass the certificate and connection details back to the policy server. . After evaluating the connection details, the network policy server passes the user authorization certificate to Active Directory for authorization. If the policy requirements are met and the user authorization is passed, the network is allowed to access, and then the user or device access is approved. It is important to note that the NPS is only responsible for evaluating it with its own policy settings and does not handle authorized actions. All network access authorization and account management need to be matched with the domain control station.
Server 2008
Windows system
After installing Certificate Services on Windows 2008 R2, the authenticationAuthority error occurs after restarting

Recently studying 2008 R2, installing AD and certificate on your own computer often has a Certificat
Parsing Windows Server 2008 Server Management Console

A new server management console is available to simplify the task of installing, managing, and secur
Windows Server 2008 and 2012 establish forest trust detailed steps

When the company grows larger, there will be multiple branches or mergers and acquisitions of other

Efficiently manage the shadow copy of Windows Server 2008

[IT expert network exclusive In fact, Shadow Copies (Shadow Copies) is not a feature of Windows Serv
Windows PowerShell is not the same system management experience

System maintenance, management, often in the command prompt (cmd.exe) operation, there is little con
Flexible setting of Windows Server 2008 to deal with system management puzzles

I believe many people will be attracted by the powerful security features of Windows Server 2008 sys
  • Windows Server FAQ
  • Server 2000
  • Server 2003
  • Server 2008
  • Windows Server Tutorial

    • Win10 Universal Edition QQ 5.0.6.0901 official version download

    [System] Some problems after upgrading SP2

    Where is the cmd under win8? How does cmd run as administrator?

    Windows 8 will be transferred to beta test later this month

    It is easy to solve the phenomenon that the mouse is still turned on. The

    How to reduce the bloated body size of the Windows 7 system optimization

    XP operating system login password forgotten or cracked

    Win8.1 disable driver mandatory signature tutorial

    Always manual too much trouble Win's automatic backup function does not try

    How to add print server port

  • Windows XP System Tutorial
  • Windows 7 System Tutorial
  • Windows 8 System Tutorial
  • Windows 10 System Tutorial
  • Windows 2003 System Tutorial
  • Windows 2008 System Tutorial
  • Windows Vista System Tutorial
  • Windows tutorial synthesis
  • Windows Server System Tutorial
  • Linux system Tutorial
  • Computer software Tutorial
  • Windows NT Tutorial
    • Copyright © Windows knowledge All Rights Reserved