Set up a network policy to make accessing Windows 2008 more secure

In the LAN environment, many common workstations may not have timely installation of system patches or update the virus database, which may cause many security risks. When these workstations try to access the LAN network, they may give the entire network a seat belt. Come to a bigger threat. So how can we avoid these workstations bringing various potential security threats to the server system, which will have a very big impact on the server system? To do this, we can protect the security of the server system by setting the network policy of the Windows Server 2008 system, and prohibit dangerous workstations from bringing network viruses or Trojans into the server system!

Understanding network policies< Br>

In order to effectively protect the network and the security of the server system, Windows Server 2008 specifically adds new network policy server functions and many other security protection measures. The network policy function server system will force any attempt. The common workstations connected to it must pass specific network health checks, such as whether a firewall program is installed in the normal workstation, whether the virus database content is updated in time, whether the latest version of the system patch is installed, etc., only when the normal workstation meets After various security checks, the server system allows the workstation to connect to the server and access its contents; and those ordinary workstations that do not pass the server system security check will be quarantined to another restricted network or reduce the server's access rights. When being isolated into another restricted network, the normal workstation needs to repair the security status of the workstation through the restricted network in time, for example, quickly download and install the system patch from the patch server in the local area network, and force the firewall in the system to be enabled. Programs, etc., after meeting network security conditions, the workstation can often access any content in the server system.

Installing Network Policy Server

Although the Windows Server 2008 system has built-in network policy server function, it is not enabled by default. At this time, we only have to use the function component first. Installed in order to take advantage of the security of this feature to protect the security of the server system.

When installing the network policy component, we must first enter the Windows Server 2008 system with system administrator privileges, open the system's "Start" menu, select "Programs" /"Administrative Tools" /" Server Manager command to open the server manager window of the corresponding system;

Display the area on the left side of the Server Manager window, select the "Role" option, in the display area to the right of the corresponding option, Click the "Add Role" function icon to open the role to add wizard settings window; from the prompt information in the settings window, we see that you need to do three things to prepare to install the network policy component, the first is to ensure the administrator account Have a strong password, the second is to ensure that the network settings have been prepared, and the third is to install the latest security updates in Windows Update;

after confirming above all the preparatory work has been completed, click "Next" button, open the list of server roles as shown in the window shown in Figure 1, where I Seeing that the server system is not selected by default in the "Network Policy and Access Service" function component, this means that the network policy function is not installed at this time; at this time, we can select the "Network Policy and Access Service" option here. Then click the "Next" button; when the role service list window shown in Figure 2 appears on the screen, select the "Network Policy Server" option, continue to click the "Next" button, and finally click the "Install" button In this way, the server system will automatically install the selected roles and role services in turn.

When the network policy component installation operation is finished, the system will automatically pop up a prompt. Now you can use this function component to configure the network access protection of the server system; and this At this moment, the DHCP service in the server system will be automatically replaced by the newly installed network policy server component. We must correctly configure the relevant DHCP parameters involved in the network policy server to achieve good network security protection. By default, the Windows Server 2008 system does not enable the Network Access Protection component associated with the Network Policy Server, which requires us to manually enable it in the DHCP scope attribute of the Network Policy Server.

Setting up a network policy server

After successfully installing the network policy server function component, we can now enter the network policy server to properly configure it so that it can function in time. Protect the security of the server system.

First open the Windows Server 2008 system Start menu, select the "Programs" /"Administrative Tools" /"Network Policy Server" option, open the Network Policy Server console window, as shown in Figure 3. ;

console display area on the left of the window We found that the network policy server contains four aspects: connection request policy, network policy, health policy and network access protection components. These policies and components will be network isolated and secure to the common workstation system accessing the unit server system. Processing, health policy review, and network access protection;

Using a connection request policy, we can specify whether to process connection requests locally or forward them to a remote Radius server for processing;

Health Strategy We can customize the standard for the health of a normal workstation, which is often used in conjunction with the Network Access Protection component. In general, we usually need to create two basic policies in the server system, one of which is the strategy of the secure workstation, and the other is the strategy of the unsecure workstation. When creating a policy for a secure workstation, we can expand the Policy/Health Policy option in the display area on the left side of the Network Policy Server console window, right-click the Health Policy option, and the shortcut from the pop-up Select the "New" command in the menu to open the settings dialog shown in Figure 4; in the settings dialog, the policy name is taken as "secure workstation" and the "client SHV ​​check" is set to "client passed all SHV check", then click the "OK" button, so that the secure workstation policy is created successfully. Similarly, we can create an "unsafe workstation" policy and set the client's SHV check for the policy to "the client failed to pass all SHV checks."

So what exactly it is safe workstation, there Which workstations are not safe? This needs to be evaluated with the System Health Validator under the Network Access Protection component! The System Health Validator will force check some settings of the normal workstation and compare these settings against the relevant security policies that have been set beforehand to evaluate the normal workstation. It is still safe and unsafe. For example, let's assume that if the system does not install firewalls and anti-virus software, then the workstation system is considered to be insecure; when configuring this security policy, we can display the area on the left side of the Network Policy Server console window. Expand the Network Access Protection /System Health Validator option, and in the right area of ​​the corresponding option, right-click the Windows Security Health Validator option and execute Properties from the pop-up shortcut menu. "Command, click the "Configure" button in the property setting window that appears later, open the configuration interface shown in Figure 5, in which you must select the "Enable firewall for all network connections" option and "Antivirus application" The program is enabled" option, and finally click the "OK" button to end the Windows security and health verification configuration operation, so that as long as the normal workstation is installed with firewall and anti-virus software, Windows Server 2008 system considers the workstation to be a secure workstation.

Windows Server 2008 when the system detects a common workstation is safe or workstations, network policy server also provides remedies to allow unsafe The workstation automatically accesses the patch update server or the virus database update server in the local area network to install the system patch and the update virus database program to the normal workstation in time. In order for an unsecure workstation to automatically install patches or automatically update the virus database, we need to use an update server group to define which systems the unsecure workstation can access in order to automatically restore the workstation's unsafe state to a secure state from these systems. When specifying a server system that an unsecure workstation can access, we can expand the Network Access Protection /Update Server Group option in the display area on the left side of the Network Policy Server console window, and then right-click Update the server group option, execute the "New" command from the pop-up shortcut menu, open the creation dialog shown in Figure 6, click the "Add" button in the dialog box, and enter the system patch correctly in the subsequent interface. Update the host name or IP address of the server or virus database update server. If the normal workstation is detected as unsafe afterwards, it will automatically connect to the system patch update server or virus database update server to install the system patch or Update the virus database. When a regular workstation installs a patch or updates a virus database, when it accesses the Windows Server 2008 system again, the system considers it a secure workstation, and the workstation can allow connection to the server system, so that we Can maximize the security of the server system.

course, we need to remind here that the above system health validator, health policy, the connection request policy, and so need to update server network policy group When combined, we can play an effective role; we can determine how to handle the workstation according to the security status of the common workstation; for example, when it is found that the normal workstation matches the unsafe workstation strategy, then we can define the network policy to indicate the local area network. The DHCP server in the network provides the target general workstation with an IP lease of restricted scope options, ensuring that the workstation address can only access the system defined in the specified update server group.