Using NPS policy in Windows Server 2008

Most employees are mobile workers. Because the virus database is not updated in time and the system patch is not installed, the mobile office equipment is in a dangerous state. When accessing the internal network, it is likely to threaten the entire network. . How to defend the network to access this door?

The author's unit is a media company with a team of hundreds of reporters. Each reporter is equipped with a laptop and an Internet device. Journalists often carry laptops on business trips and do not log in to the internal network for a long time. Anti-virus software and system patch updates are deployed in the network. When the reporter connects to the company network through VPN or other means, the connection time is very short, and the system patch and virus database cannot be downloaded immediately. Because the virus database is not updated in time, and the system patch is not installed, the laptop is in a "dangerous" state. Once the virus is infected and other viruses such as viruses or Trojans are brought to the internal network, it will have a great impact on the network.

Is there any way to automatically detect the security of the client computer when you log in to the network, and then allow you to log in to the network after meeting the security standards? That is NAP, a network protection strategy.

NAP is strictly controlled

Windows Server 2008 provides NAP (Network Access Protection). The network protection policy is that any client computer (client and VPN client) must pass the network health check, such as Whether to install the latest security patch, whether the signature database of the anti-virus software is updated, whether the firewall is enabled, etc., is allowed to enter the internal network after meeting the security conditions. Computers that fail the system health check are quarantined to a restricted access network. In a restricted access network, repair the state of the computer (such as downloading a special system patch from the patch server, forcibly opening a firewall policy, etc.), and then accessing the company's internal network after reaching the network health standard.

Windows Server 2008 provides a variety of methods for network access protection. The easiest way is to use NPS (Network Policy Server) policy with DHCP service to complete network access protection. To deploy this policy, you need to configure the client computer: Enable the Enable Security Center (Domain PC Only) policy in Group Policy; enable the DHCP Quarantine Force Client policy. To enable the NAP proxy service, it is recommended to set it to "automatic" startup mode.

Installing NPS Services

After installing Windows Server 2008 by default, the NPS (Network Access Policy) service is not installed and requires the network administrator to manually install the service.

Start Server Manager and run the Role Add Wizard. In the Select Roles dialog box, in the Roles list, select the Network Policy and Access Services option that you want to install. Others are installed by default. Just fine.

After the NPS service is installed, the DHCP service in the member server will be replaced by the new NPS-capable component. The network administrator needs to configure the DHCP options involved in the NPS. By default, the NPS-associated component "Network Access Protection" is not enabled, and the policy is enabled in the DHCP scope attribute.

NAP switches computers between restricted networks and unrestricted network access within the same scope by adding a User Class Scope category. This set of special scope options (DNS server, DNS domain name, router, etc.) is used when providing leases to poorly performing client computers. For example, the default DNS suffix provided to a good client is "book.com" and the DNS suffix provided to a bad client is "Testbook.com".

The Network Health Validator, Update Server Group, Health Policy, and Network Policy will verify, quarantine, remedy, and health policy audits of computers joining the corporate network.

Network Health Validator: Evaluate the computer's running status, what checks need to be performed, and set up a checklist to detect which computers connected to the network are secure and which are not secure, such as firewall shutdown, according to the set policy. It is considered unsafe, no anti-virus software is installed, it is not safe computer. Start the Network Policy Server component, open NPS (Local)→Network Access Protection→System Health Validator, and configure the status to be detected in the attribute list, as shown in Figure 1.

Update Server Group: Allows network administrators to set up systems that can be accessed by computers with poor health. By accessing the defined system, computers with poor status will be restored to normal. During the setup process, note that the IP address of the target server and DNS domain name resolution must be consistent. Start the "Network Policy Server" component, open "NPS" → "Network Access Protection" → "System Health Validator", create a new "Update Server Group", set the IP address and name of the virus database update server or patch update server.

The health policy is used to establish a standard for the health of client computers. It is recommended to create two policies, one for a secure computer policy and one for a non-secure computer. The computer that the network health verifier verifies is classified into a secure computer policy if it is secure, and if the network health verifier verifies that the computer is unsecure, it will be classified into an unsecured computer. Start the "Network Policy Server" component, open "NPS" → "Policy" → "Health Policy", create two new "health strategies", one is "pass all security verification" strategy, as shown in Figure 2; the other is " There is no safety and health check policy.

Network Policy: Defines the processing logic rules and determines how to handle them based on their computer health. Network health validators, update server groups, and health processing are grouped together through network policies. The network policy is defined by the administrator and is used to instruct the NPS how to handle the computer based on the running state of the computer. NPS evaluates these policies from top to bottom, and once the computer matches the policy rules, processing stops immediately.

Two policies have been created, namely "pass all security verification" policy and "no network security check" policy.

The "Through All Security Verification" policy states that computers that pass through all Security Center checks can gain unrestricted network access. The “No Network Security Check” policy corresponds to any computer that has not passed one or more SHV (System Health Validators) checks. If a computer matches this policy, the NPS instructs the DHCP server to provide the client with an IP lease with a special NAP restricted scope option. This address only allows the violating computer to access the resources defined in the update server group. Start the "Network Policy Server" component, open "NPS (local)" → "Policy" → "Network Policy", create a new policy for "through all security health checks", and set access rights.

After the NAP is deployed, when the reporter returns to the company's network, the client first checks the computer without the latest virus database, and automatically connects to the virus database update server to upgrade the virus database; The system patched computer automatically connects to the WSUS server upgrade patch; if there is no firewall enabled computer, the client is prompted to enable the firewall. When the above conditions are met, the client is allowed to connect to the internal network to maximize network security.

Network Access Protection Four Steps

Network access protection is divided into four parts: policy verification, isolation, remediation and continuous monitoring.

Policy Verification

Policy verification means that NAP evaluates the state of a client computer system based on a set of rules defined by the network administrator. NAP compares the security health program to the defined policy when the computer attempts to connect to the network. Computers that conform to these policies are considered to be in good condition, and computers that do not meet one or more of the inspection criteria are considered to be A computer with a bad state.

Isolation

Isolation can be understood as a network connection limitation. According to the policy defined by the network administrator, NAP can set the computer's network connection to various states. For example, if a computer is considered bad due to a lack of critical security updates, NAP can place the computer in an isolated network and isolate it from other computers on the network until it is healthy (patches installed).

Remediation

For computers with poorly connected states that have been restricted, NAP provides a remediation strategy that quarantined computers can correct operational status without the intervention of a network administrator. A restricted network allows a badly performing computer to access the necessary updates.

Continuous Monitoring

Continuous monitoring, which forces the computer to monitor these well-behaved policies while staying connected to the network, not just during the initial connection. If the computer status does not match the policy, such as disabling the Windows firewall, NAP will automatically turn on the firewall until the network is restored.