Joe Davies Principal Writer Windows Server Information Experience Presented at: Windows Networking User Group November 2, 2011 © 2011 Microsoft Corporation NAP overview NAP enforcement methods NAP components and architecture © 2011 Microsoft Corporation What is NAP and why do you need it? Challenge ◦ How to maintain computer health ◦ How to define and enforce computer health requirements Intranet computers Home computers Traveling portable computers Risk ◦ Malicious software attacks out-of-date computers © 2011 Microsoft Corporation 4 Platform that monitors and enforces compliance with health requirements for network access or communication Operating system components built into ◦ ◦ ◦ ◦ Microsoft® Windows Server® 2008/R2 Microsoft Windows 7 Microsoft Windows Vista™ Windows® XP with Service Pack 3 (SP3) Application programming interfaces (APIs) ◦ Allows for integration with third-party vendors © 2011 Microsoft Corporation 5 Health state validation Health policy compliance Limited access © 2011 Microsoft Corporation 6 Computer that is trying to connect to or communicate on the network is evaluated for system health requirements Compliant computers ◦ Grant unlimited access Noncompliant computers ◦ Monitoring-only environment Grant unlimited access but log compliance state of computer ◦ Restricted access environment Limit access to restricted network © 2011 Microsoft Corporation 7 Automatically update noncompliant computers (autoremediation) ◦ Monitoring-only environment Noncompliant computers will have unlimited access before they are updated ◦ Restricted access environment Noncompliant computers will have limited access until they are updated Automatically update compliant computers to guarantee ongoing compliance © 2011 Microsoft Corporation 8 Limiting network access to a restricted network Health update resources ◦ Located on the restricted network ◦ Used by NAP clients to obtain updates for compliance Example: antivirus signature and operating system update servers Computers can be excepted from having their access limited © 2011 Microsoft Corporation 9 NAP infrastructure servers run Windows Server 2008/R2 ◦ Windows-based NAP enforcement points ◦ NAP health policy servers NAP clients run ◦ ◦ ◦ ◦ Windows Windows Windows Windows 7 Vista XP with Service Pack 3 Server 2008/R2 © 2011 Microsoft Corporation 10 Verify the health Verify the health Verify the health Verify the health computers © 2011 Microsoft Corporation state state state state of of of of roaming laptops desktop computers visiting laptops unmanaged home 11 NAP is about stopping the next big virus or vulnerability by ensuring clients are well maintained and isolated if deemed unhealthy NAP is not designed for: ◦ Blocking unauthorized users ◦ Rogue machine control ◦ Software distribution control NAP is a flexible health control solution that is reliant on other mechanisms to solve these issues ◦ It is the compliance check and enforcement solution for these mechanisms © 2011 Microsoft Corporation What types of ways of connecting or communicating can NAP help protect? Internet Protocol security (IPsec)-protected communications IEEE 802.1X-authenticated network connections Remote access virtual private network (VPN) connections Dynamic Host Configuration Protocol (DHCP) configuration © 2011 Microsoft Corporation 14 Enforcement Healthy Client Unhealthy Client DHCP Full IP address given, full access Restricted set of routes Remote access VPN (RRAS) Full access IP filters on VPN server 802.1X Full access Restricted VLAN or port ACLs IPsec Can communicate with any trusted peer Healthy peers reject connection requests from unhealthy systems © 2011 Microsoft Corporation Require proof of health compliance for IPsecprotected end-to-end traffic ◦ Health certificate is used during IPsec authentication In a restricted access environment, a computer must be compliant to initiate communications with other compliant computers ◦ IPsec policy that requires a health certificate for authentication ◦ Noncompliant computers cannot initiate communication with compliant computers A Health Registration Authority (HRA) obtains X.509-based health certificates for NAP clients © 2011 Microsoft Corporation 16 Require health evaluation when making an 802.1X-authenticated connection ◦ Wireless ◦ Wired In a restricted access environment ◦ A computer must be compliant to obtain unlimited network access ◦ Noncompliant computers have limited access A set of Internet Protocol (IP) packet filters specified by an access control list (ACL) A virtual LAN (VLAN) identifier © 2011 Microsoft Corporation 17 Require health evaluation when making a remote access VPN connection to a Windows Server 2008/R2-based VPN server In a restricted access environment ◦ A computer must be compliant to obtain unlimited network access ◦ Noncompliant computers have limited access A set of IP packet filters © 2011 Microsoft Corporation 18 Require health evaluation when requesting an IP version 4 (IPv4) address configuration from a Windows Server 2008/R2-based DHCP server In a restricted access environment ◦ A computer must be compliant to obtain an unlimited access IPv4 address configuration ◦ Noncompliant DHCP clients have IPv4 address configurations with limited access Limited IPv4 configuration and special routes in the IPv4 routing table © 2011 Microsoft Corporation 19 © 2011 Microsoft Corporation Can be eased into current IP management scheme Can be used in conjunction with any of the other enforcement options A NAP capable DHCP server (Windows Server 2008/R2) will still issue addresses to non-NAP capable clients Quick and easy to set up either in production or as a proof of concept © 2011 Microsoft Corporation Requires an instance of NPS to be running on the DHCP server (either as a proxy or as the NPS server itself) Can be bypassed by static IP addressing of clients Has no authentication or encryption built into the protocol Frequency of health check is associated with lease time © 2011 Microsoft Corporation All required technologies are built into Windows (client and server platforms) Supports secure authentication methods (EAP) © 2011 Microsoft Corporation Uses IP filters for quarantine and filter size can be an issue Only works with the Routing and Remote Access service built into Windows Server 2008/R2 © 2011 Microsoft Corporation Industry standard protocol supported by all switch and AP vendors Supplicant is built into Windows Supports password based or certificates as the credential Can be deployed in conjunction with DHCP or IPsec enforcements © 2011 Microsoft Corporation Requires compatible hardware Bootstrapping clients with credentials is challenging Dynamic VLAN switching during the boot process can be problematic Requires designing multiple VLANs based on health state Requires Windows supplicant to be used © 2011 Microsoft Corporation Unhealthy clients are truly isolated (credential automatically revoked by the NAP agent) Offers strong authentication AND encryption (encryption is optional, not required) Works with any switch, router or AP Technologies are built into Windows (client and server platforms) © 2011 Microsoft Corporation Requires PKI to be deployed Only works in a managed environment (machines must be domain joined) Certificates are the only supported credential Requires an additional role to be deployed on the network ◦ Health Registration Authority (HRA) © 2011 Microsoft Corporation What are the pieces of NAP and how does it all work? VPN server Active Directory IEEE 802.1X devices Internet Health Registration Authority Perimeter network Intranet Remediation servers © 2011 Microsoft Corporation NPS server DHCP server Restricted network NAP client with limited access System health agents and system health validators Enforcement components and methods Network Policy Server (NPS) Remediation servers © 2011 Microsoft Corporation 31 Provide health state tracking and validation System health agents (SHAs) NAP client component Report the health state of a computer System health validators (SHVs) NAP health policy server component Validate the health state of a computer NAP APIs allow vendors to create custom SHAs and SHVs © 2011 Microsoft Corporation 32 Windows Security Health Agent ◦ Runs on Windows 7, Windows Vista, and Windows XP with SP3-based NAP clients ◦ Integrated with Windows Action/Security Center Firewall software installed and enabled Antivirus software installed, enabled, and updated Antispyware software installed, enabled, and updated Automatic updates enabled Windows Security Health Validator ◦ Runs on NAP health policy server (Windows Server 2008/R2) © 2011 Microsoft Corporation 33 Remote Authentication Dial-In User Service (RADIUS) server and proxy for Windows Server 2008/R2 NAP health policy server ◦ Allows configuration of system health requirement policies ◦ Determines health compliance and remediation actions for noncompliance Autoremediation Limited access © 2011 Microsoft Corporation 34 Servers, services, or other resources that a noncompliant computer on the restricted network can access to correct system health ◦ Domain Name System (DNS) server ◦ Antivirus signature file server ◦ Software update server © 2011 Microsoft Corporation 35 © 2011 Microsoft Corporation © 2011 Microsoft Corporation © 2011 Microsoft Corporation © 2011 Microsoft Corporation © 2011 Microsoft Corporation © 2011 Microsoft Corporation IPsec enforcement 802.1X enforcement VPN enforcement DHCP enforcement © 2011 Microsoft Corporation 42 NAP client sends its health state to the HRA, which sends it to the NAP health policy server (an NPS) NAP health policy server evaluates the health state of the NAP client ◦ If compliant The HRA obtains a health certificate for the NAP client ◦ If not compliant The HRA does not obtain a health certificate and instructs the NAP client to correct its health state © 2011 Microsoft Corporation 43 © 2011 Microsoft Corporation © 2011 Microsoft Corporation During 802.1X authentication, the NAP client sends its health state to the NAP health policy server The NAP health policy server evaluates the health state of the NAP client ◦ If compliant NAP health policy server instructs the 802.1X access point to grant unlimited access ◦ If not compliant NAP health policy server instructs the NAP client to correct its health state and can instruct the 802.1X access point to grant limited access ACLs on the port for the IP addresses of remediation servers Limited access VLAN © 2011 Microsoft Corporation 46 During authentication, the NAP client sends its health state to the NAP health policy server The NAP health policy server validates the health state of the NAP client ◦ If compliant NAP health policy server instructs the VPN server to grant unlimited access ◦ If not compliant NAP health policy server instructs the NAP client to correct its health state and can instruct the VPN server to grant limited access Packet filters on VPN connection for the IP addresses of remediation servers © 2011 Microsoft Corporation 47 © 2011 Microsoft Corporation During configuration, the NAP client sends its health state to the DHCP server, which then sends it to the NAP health policy server The NAP health policy server evaluates the health state of the NAP client ◦ If compliant NAP health policy server instructs the DHCP server to assign an unlimited access configuration ◦ If not compliant NAP health policy server instructs the NAP client to correct its health state and can instruct the DHCP server to assign a limited access configuration DHCP options for an address without a subnet, no default gateway, static routes for the IP addresses of remediation servers © 2011 Microsoft Corporation 49 Portal page Demonstrate Remote Access VPNs Demonstrate NAP for Remote Access VPN © 2011 Microsoft Corporation Portal page Demonstrate DirectAccess Demonstrate DirectAccess with NAP © 2011 Microsoft Corporation NAP product information site (http://www.microsoft.com/nap) NAP TechNet site (http://technet.microsoft.com/enus/network/bb545879.aspx) ◦ Introduction to Network Access Protection Network Access Protection Platform Architecture Step-by-step guides ◦ Step-by-Step Guide: Demonstrate IPsec NAP Enforcement in a Test Lab ◦ Step-by-Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab ◦ Step-by-Step Guide: Demonstrate DHCP NAP Enforcement in a Test Lab © 2011 Microsoft Corporation © 2011 Microsoft Corporation Windows Windows Windows Windows Server Networking on TechNet Server Networking on MSDN Networking Writing Team blog Server Documentation Twitter feed © 2011 Microsoft Corporation