Methods of Security and Policy Enforcement
advertisement
Security and Policy Enforcement in Windows Server 2008 Table of Contents Introduction 1 Facilities 2 About This Clinic 3 Clinic Outline 4 Infrastructure Optimization Model 5 Security Enhancements in Windows Server 2008 6 Overview 7 Technical Background 13 Implementation/Usage Scenarios 31 Recommendations 33 Summary 34 Network Access Protection 36 Overview 37 Technical Background 39 Implementation/Usage Scenarios 69 Recommendations 71 Summary 72 Hands-On Lab 74 Clinic Summary Error! Bookmark not defined. What Next? 75 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © ights reserved. Microsoft are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Version 1.0 Security and Policy Enforcement in Windows Server 2008 Introduction 1 2 Security and Policy Enforcement in Windows Server 2008 Facilities Security and Policy Enforcement in Windows Server 2008 3 About This Clinic Description This clinic will provide an overview of Network Access Protection and other new security features and capabilities in Windows Server 2008. Objectives The objective of this clinic is to provide information regarding the benefits, technical details, and implementation of Network Access Protection (NAP), Quality of Service (QOS), IPSec and Windows Firewall in Windows Server 2008. Audience This clinic is intended for IT Professionals currently experienced on the technologies included in Windows Server 2000 and Windows Server 2003, and who hold an MCSE or MCSA certification and/or equivalent knowledge. Prerequisites Experience with Microsoft® Windows Server and client operating systems Experience with IPSec, Group Policy and other security features running on Windows Server 2003 4 Security and Policy Enforcement in Windows Server 2008 Clinic Outline Securing your network, servers and lines of communication is of paramount importance to any administrator. Windows Server 2008 will facilitate these tasks. One of the main focuses in the design and development of Windows Server 2008 was increased security. The new security and policy enforcement features will greatly enhance the administrator’s job of configuring and maintaining security. Objectives This clinic includes the following topics: Security Enhancements in Windows Server 2008. Network Access Protection in Windows Server 2008. Security and Policy Enforcement in Windows Server 2008 5 Infrastructure Optimization Model The Infrastructure Optimization Model helps customers understand and subsequently improve the state of their IT infrastructure and describes what that means in terms of cost, security risk, and operational agility. Microsoft Infrastructure Optimization (IO) is structured around three information technology models: Core Infrastructure Optimization, Application Platform Infrastructure Optimization, and Business Productivity Infrastructure Optimization. Core IO focuses on the foundational elements of IT services and components and includes five key capabilities: Identity and Access Management, Desktop, Device and Server Management, Data Protection and Recovery, Security and Networking, and IT and Security Process. This clinic focuses on those technologies which support the Security and Networking category of the Core Infrastructure Optimization Model. 6 Security and Policy Enforcement in Windows Server 2008 Security Enhancements in Windows Server 2008 Objectives At the end of this section, you will have learned the answers to the following questions: What are some of the new security features in Windows Server 2008? How are security policies enforced in Windows Server 2008? What is the new Windows Firewall? What is IPSec? How does it work and what are its benefits? What other enhancements have been made in Windows Server 2008 to improve security? Security and Policy Enforcement in Windows Server 2008 Overview Windows Server 2008 includes a variety of new security initiatives which provide new methods of security and policy enforcement, ensure integrity and confidentiality of data, and improve security of communications. Methods of Security and Policy Enforcement New methods of security and policy features in Windows Server 2008 will enable administrators to effectively apply security policies in a systematic and efficient manner across the entire network. These improvements translate to an easier transition to increased security without a corresponding level of difficulty. The methods to enforcement include: Network Location Awareness (NLA). Network Location Awareness is built into the Operating System and monitors the network for any changes. The monitoring and constant awareness ensures that client computers and servers can more efficiently process group policies and respond quicker to slow or disconnected network segments. Network Location Awareness no longer depends upon ICMP (PING) for policy application, thereby speeding up the startup process for machines. It is also means that network border devices won’t inhibit the processing of policies by blocking ICMP. 7 8 Security and Policy Enforcement in Windows Server 2008 Network Access Protection (NAP). This new feature ensures compliance with specific health policies for systems accessing the network. Network access protection assists administrators in achieving and maintaining a specific health policy. The main components of Network Access Protection are: Health Policy Validation. The health state of any computer attempting to access the network will be compared against the policy created by the administrator before being allowed access. Health Policy Compliance. Using software management applications (Systems Management Software for example), administrators can automatically update noncompliant computers Limited Access. Only computers that meet or exceed health compliance requirements will be permitted access, all others will be quarantined until they meet the required health standards. Additional information regarding NAP will be provided later in this clinic. Windows Firewall with Advanced Security Windows Firewall with Advanced Security (WFAS) in Windows Server 2008 is a stateful, host-based firewall that filters traffic based on specific rules you create. This firewall is an enhancement of the one found in Windows XP SP2 and Windows Server 2003 SP1. Firewalls within the operating system provide an additional layer of security by filtering traffic to and from the client. Capabilities and new features that have been added to WFAS include: Filters incoming and outgoing traffic. Filtering of outgoing traffic is new with WFAS. Firewall rules that specify the use of IPSec can be configured so that specific Active Directory Groups and Accounts can initiate the communications session. Rules can be based on source and destination IP addresses, source and destination port (TCP and UDP) as well as for multiple ports. You can specify an individual service by service name. In the past, it was necessary to specify a path to the service. Application Rules are still defined based on path and are not hashed values of the executable. Additional details regarding Windows Firewall and Advanced Security will be provided later in this clinic. Security and Policy Enforcement in Windows Server 2008 9 Internet Protocol Security (IPSec) Information is the key to power in today’s digital world. Maintaining appropriate controls over the transmission and access of information is what IPSec is designed to perform. In its basic form, IPSec is implemented to secure communications between computers. But it can do a lot more than just this depending on how you implement IPSec in your network and what type of communication you want to secure. You can deploy IPSec to segment your network, help prevent the theft of data and user-credentials and secure VPN communications. New IPSec Features. Windows Server 2008 has expanded upon the capabilities of IPSec in Windows Server 2003 and added these new capabilities: IPSec is configured from the same interface that is used with Windows Firewall with Advanced Security (WFAS). You can also use command-line tools to configure the Windows Firewall with Advanced Security and IPSec. IPv6 is fully supported by IPSec. During initial session establishment, Windows Server 2008 will attempt to communicate in the clear as well as trying to negotiate a protected communication session in parallel. Depending on the response, the initiator will continue to communicate only in the clear, or continue in the clear only until a secure channel is established. Can be used for NAP enforcement. IPSec Scenarios. There are several scenarios to choose from when deploying IPSec: Packet Filtering. Acts as a host-based packet filter and limited firewall. End-to-end security between specific hosts. You can secure the communications between two specific hosts. End-to-end traffic through a Microsoft Internet security and Acceleration (ISA) Server-secured network address translator. In this scenario IPSec NAT Traversal (NAT-T) is supported and services requests to provide secure access to clients. Secure server. You can ensure secure communications with this server by requiring the use of IPSec for all connections to a specific server. Layer Two Tunneling (L2TP) over IPSec (L2TP/IPSec) for remote access and site-to-site virtual private network (VPN) connections. In this scenario, you can provide secure communications for clients accessing a corporate network and also for branch offices to communicate securely. Site-to-site IPSec tunneling with non-Microsoft gateways. This will support interoperability with networks that do not run either L2TP/IPSec or Point-toPoint Tunneling Protocol (PPTP) VPNs. IPSec Prerequisites. 10 Security and Policy Enforcement in Windows Server 2008 If you are going to deploy IPSec policies through Group Policy, then you must have Active Directory configured. Computers that are to use IPSec must have a policy assigned and authentication must be configured correctly on BOTH ends. Operating systems, routers, firewalls and other devices must be able to support IPSec and be configured. Additional information regarding IPSec will be provided later in this clinic. Windows Server Hardening Windows Server 2008 hardens the operating system and protects the environment to provide a solid foundation for running and business applications and services. With Windows Service Hardening fewer services are running by default, and service accounts now have fewer privileges and limited network access. This helps keep systems safer by preventing critical Windows services from being used by abnormal activity in the file system, registry, or network. Windows Server 2008 also provides better protection for kernel mode services by reducing amount of code that has to run at the kernel level. By ensuring that services run with the least privilege necessary, service hardening improves the system security. For example, in the past there have been some printer drivers that used both kernel-mode code and user-mode code. With service hardening, printer drivers have been moved into the user-mode layer which means that there is no kernel code in the drivers themselves. Server and Domain Isolation With Windows Server 2008, you can logically isolate server and domain resources to limit access to authenticated and authorized computers. You can create a logical network inside an existing physical network, where computers share a common set of requirements for secure communications. In order to establish connectivity, each computer in the logically isolated network must provide authentication credentials to other computers in the isolated network to prevent unauthorized computers and programs from gaining access to resources inappropriately. Requests from computers that are not part of the isolated network will be ignored. Two types of isolation are supported: Server isolation. In a server isolation scenario, specific servers are configured using IPSec policy to accept only authenticated communications from other computers (for example, a database server configured to accept connections only from a Web application server). Domain isolation. To isolate a domain, you can use Active Directory domain membership to ensure that domain member computers accept only authenticated and secured communications from other domain member computers. Domain isolation Security and Policy Enforcement in Windows Server 2008 11 uses IPSec policy to provide protection for traffic sent between domain members, including all client and server computers. Server and domain isolation can help protect specific high-value servers and data as well as protect managed computers from unmanaged or rogue computers and users. Active Directory Domain Services Auditing When a writable domain controller is deployed where security of the server cannot be guaranteed (such as a branch office), it is crucial to audit any changes that occur to the directory services. The improvements made to the Audit directory service access global audit policy in Windows Server 2008 improve your ability to monitor these changes. Additional details regarding AD Domain Services Auditing will be provided later in this clinic. Read-Only Domain Controller (RODC) Except for account passwords, a RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the replica that is stored on the RODC. Changes must be made on a writable domain controller and replicated back to the RODC. This prevents a change that could otherwise be made from polluting or corrupting the forest. Local applications that request Read access to the directory can obtain access. Lightweight Directory Application Protocol (LDAP) applications that request Write access receive an LDAP referral response. This response directs them to a writable domain controller. Additional details regarding RODCs will be provided later in this clinic. BitLocker Drive Encryption Data security on lost of stolen PC devices, and on remotely located servers, is a growing concern among security experts and corporate executives. The data that is stored on these systems is often more valuable to a corporation that the asset itself, and the loss, theft, or unwanted disclosure of that data can be very damaging. In addition, recent government regulations focus on data protection and privacy; the unregulated disclosure of the data that each law or policy covers can be damaging, with some of the regulations demanding stiff fines and the potential for custodial sentences for offending executives. Many CEOs and board members are looking for solutions that increase protections around data and provide compliance. The problem of data protection also extends to situation where systems need to be decommissioned; in fact, the cost of securely decommissioning a machine by using current methods can run into hundreds of dollars per device. BitLocker Drive Encryption (BDE) is an integral new security feature in the Windows Server 2008 and Windows Vista operating systems that provides considerable protection for the operating system on your computer and data stored on the operating system volume. BDE ensures that data remains encrypted even if the computer is tampered with 12 Security and Policy Enforcement in Windows Server 2008 when the operating system is not running. This helps protect against "offline attacks," attacks made by disabling or circumventing the installed operating system, or made by physically removing the hard drive to attack the data separately. As a result, this technology provides better data protection for computers located at branch offices. BitLocker prevents a thief who boots another operating system or runs a software hacking tool from breaking Windows Server 2008 or Vista file and system protections or viewing offline the files that are stored on the protected drive. Removable Device Installation Control Restricting the devices that users can install will help reduce the risk of data theft, and it can lower support costs by ensuring that users are installing only devices that the help desk is trained and equipped to support. Through Group Policy settings, Windows Server 2008 provides you with a way to protect data from being copied onto removable devices such as a USB drives, keyboards and mice. You have flexibility to determining how removable devices may or may not be used, including: Preventing users from installing any device. Allowing users to install only devices that are on an “approved list. If a device is not on the list, then the user cannot install it. Preventing users from installing devices that are on a “prohibited” list. If a device is not on the list, then the user can install it. Denying read or write access to users for devices that are themselves removable, or that use removable media, such as CD and DVD burners, floppy disk drives, external hard drives, and portable devices such as media players, smart phones, or Pocket PC devices Enterprise PKI There are a number of enhancements to the public key infrastructure (PKI) in Windows Server 2008, including: Easier Management through PKIView. Certificate Web Enrollment. Network Device Enrollment Service. Certificate Policy Settings. Certificate Deployment changes. Online Certificate Status Protocol (OCSP) support. Managing Certificates with Group Policy. Cryptographic Next Generation. Additional details regarding Enterprise PKI improvements will be provided later in this clinic. Security and Policy Enforcement in Windows Server 2008 Technical Background The following sections will provide technical background information regarding: Windows Firewall with Advanced Security. IPSec. Active Directory Domain Services Auditing. Read-Only Domain Controller (RODC). BitLocker Drive Encryption. Enterprise PKI. 13 14 Security and Policy Enforcement in Windows Server 2008 New features and improvements have been made to the Windows Firewall with Advanced Security (WFAS) that make it an effective tool for protecting your computers. The new features and tools will assist you in the creation of firewall rules to control incoming and outgoing communications. You can access the Windows Firewall with Advanced Security GUI through an MMC snap-in. The firewall item in the Control Panel has limited functionality and does not have access to the advanced features that are available through the MMC Snap-in. If you are using the MMC snap-in, you have the option of creating a policy on the local machine, or on a remote machine. An invaluable feature is the ability to create IPSec rules within the same snap-in. The New Inbound or Outbound Rule Wizard is intuitive and will guide you through the creation process. The first step is determining what rule Type you wish to create: Program Port Predefined (for Rules that control connections for a Windows experience) Custom rule. Depending on what rule you select determines the number and type of additional steps you will go through in creating your rules. Firewall rules can be based upon: Security and Policy Enforcement in Windows Server 2008 15 IP Protocol (TCP or UDP) Source and Destination TCP and UDP Ports For all ports or multiple ports Specific Interfaces ICMP and ICMPv6 traffic Type and Code Services (which was originally based on a path to the service, but which can now be based on a process or service). Like the current Windows Firewall in XP SP2, the new Windows Firewall is stateful and host-based that will allow or block network traffic according to its configuration and the applications that are currently running to provide a level of protection from malicious users and programs on a network. The new Windows Firewall includes enhancements for better protection and more advanced configuration. 16 Security and Policy Enforcement in Windows Server 2008 In this demonstration, you will see how to create an inbound and outbound rule using the Windows Firewall with Advanced Security. Key Points: Your instructor will demonstrate the following: Creating an inbound rule Creating an outbound rule Creating an IPSec rule Creating a Firewall Rule limiting a service Security and Policy Enforcement in Windows Server 2008 17 IPSec is used to provide secure communications for IP (Internet Protocol) based networks. When IPSec is properly implemented it will provide security for communications in four main areas: Data Integrity. Ensures that the contents of a packet have not been modified whilst in transit (either through accident or malicious intent). Data Confidentiality. Ensures the packet has not been read whilst in transit (encryption). Authentication. That the packet did indeed come from the sender. Anti-replay. A packet cannot be intercepted and replayed at a later time. In previous versions of the operating system, Windows Firewall and IPSec were configured separately and administrators often found the IPSec configuration to be confusing. As such, in Windows Server 2008 Windows Firewall and IPSec have been combined into a single configurable tool (Windows Firewall Advanced Security) used to control both traditional firewall behavior, and protection of network traffic with IPSec. It is also possible to use commands within the netsh advfirewall context for command line configuration of both firewall and IPSec behavior. 18 Security and Policy Enforcement in Windows Server 2008 Windows Server 2008 includes a number of changes to IPSec which can assist you in tightening security of traffic flowing to and from your branch offices. These improvements include: Simplified IPSec policy configuration. When initiating communication with another network node, an IPSec node running Windows Server 2008 will try to communicate in the clear and negotiate protected communication in parallel. If the initiating IPSec peer does not receive a response to the initial negotiation attempt, the communication continues in the clear. If the initiating IPSec peer receives a response, the communication in the clear is halted until the negotiation can complete. This is an optional behavior and must be enabled before this behavior occurs. Client-to-DC IPSec protection. Windows Server 2008 supports securing traffic between domain members and domain controllers in the following situations: The new negotiation behavior of IPSec results in you no longer needing to configure exemptions for domain controllers, which simplifies IPSec policy and deployment of IPSec protection in a domain. You can configure IPSec policy in the domain to request protected traffic but not require it. Domain controllers will protect most traffic with domain members but allow clear text for domain joins and other types of traffic. You can configure IPSec policy to require protected traffic for domain controllers. When a computer running Windows Server 2008 or Vista attempts to join the domain, the user is prompted for the user name and password of a domain user account. IPSec with the domain controller is negotiated with NTLM v2 user credentials for a protected domain join. This behavior is new and is only available for domain member computers running either Vista or Windows Server 2008 and for domain controllers running Windows Server 2008. Improved load balancing and clustering server support. In Windows Server 2008, the timeout for a cluster node failure is greatly reduced. IPSec is more tightly integrated into the Next Generation TCP/IP stack. Rather than relying on IPSec idle timeouts to detect a cluster node failure, IPSec in Windows Server 2008 monitors TCP connections for established Security Associations (SAs). If the TCP connection for an established SA begins retransmitting segments, IPSec will renegotiate the SAs. This results in the failover to a new cluster node happening quickly, typically in time to keep the application from failing. Improved IPSec Authentication. IPSec authentication in Windows Server 2008 adds support for the following capabilities: You can require that IPSec peers authenticate with a health certificate which is issued by a certificate server when a Network Access Protection client proves that its health state is in compliance with current health policy. Security and Policy Enforcement in Windows Server 2008 19 You can specify user-based or health-based authentication during a new IPSec negotiation mode known as extended mode, in which it can perform an additional level of authentication. Integration with NAP. You can require that IPSec nodes authenticate during extended mode negotiation with a health certificate, certifying that the IPSec node meets current system health requirements. A health certificate server issues a health certificate after an IPSec peer's health status has been evaluated by a Network Policy Server (NPS). Multiple Authentication Methods. When you select multiple authentication methods for computers running Windows Server 2008, IPSec will attempt multiple authentication attempts in an effort to perform mutual authentication. New Cryptographic Support. Windows Server 2008 includes Cryptography Next Generation (CNG) which supports additional key derivation and encryption algorithms such as elliptic curve cryptography (ECC), allowing you to respond to governmental security requirements and trends in the security industry to support stronger cryptography. Integrated IPv4 and IPv6 Support. IPSec support for IPv6 traffic in Windows Server 2008 is the same as that for IPv4, including support for IKE and data encryption. Policy settings for both IPv4 and IPv6 traffic are configured in the same way using either the Windows Firewall with Advanced Security or IP Security Policies snap-ins. Extended events and performance monitor counters. Windows Server 2008 includes 15 new IPSec audit-specific events and the text of 25 existing events has been updated with more useful information to help you troubleshoot failed IPSec negotiations without having to enable the advanced Oakley logging capability. Also included are IPSec performance counters to help identify performance and networking issues with IPSec-protected traffic. Network Diagnostics Framework Support. The Network Diagnostics Framework is an extensible architecture that helps you recover from and troubleshoot problems with network connections. For a failed IPSec negotiation, the Network Diagnostics Framework will prompt you with an option to identify and correct the problem. It then attempts to discover the source of the failed connection and either automatically fixes the problem, or, depending on security considerations, prompts you to make the appropriate configuration changes. 20 Security and Policy Enforcement in Windows Server 2008 In this demonstration, you will see how to create IPSec rules using the Windows Firewall with Advanced Security Key Points: Your instructor will demonstrate the following: Creation of an IPSec rule Specify different authentication methods Activate/De-activate a rule Security and Policy Enforcement in Windows Server 2008 21 When a writable domain controller is deployed where security of the server cannot be guaranteed (such as a branch office), it is crucial to audit any changes that occur to the directory services. The improvements made to the Audit directory service access global audit policy in Windows Server 2008 improve your ability to monitor these changes. The Audit directory service access global audit policy controls auditing for directory service events to determine whether events are logged in the Security log when certain operations are carried out on objects in the directory. You can control what operations to audit by modifying the system access control list (SACL) on an object. In Windows Server 2008, this policy is enabled by default. In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access, which controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008, this policy is divided into four subcategories: Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication 22 Security and Policy Enforcement in Windows Server 2008 In Windows Server 2008, if you do not utilize these subcategories, auditing will be ineffective. Previously, AD DS auditing only logged the name of an attribute that was changed; it did not log the previous and current values of the attribute. Windows Server 2008 has added the ability to log old and new values of an attribute when a successful change is made to that attribute. This ability to audit changes to objects in AD DS is enabled with the new audit subcategory Directory Service Changes. The types of changes that you can audit are create, modify, move, and undelete operations that are performed on an object. The events that are generated by these operations appear in the Security log. Security and Policy Enforcement in Windows Server 2008 23 Except for account passwords, a RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the replica that is stored on the RODC. Changes must be made on a writable domain controller and replicated back to the RODC. This prevents a change that could otherwise be made from polluting or corrupting the forest. Local applications that request Read access to the directory can obtain access. Lightweight Directory Application Protocol (LDAP) applications that request Write access receive an LDAP referral response. This response directs them to a writable domain controller. Credential caching. Credential caching is the storage of user or computer credentials. Credentials consist of a small set of approximately 10 passwords that are associated with security principals. By default, an RODC does not store user or computer credentials. Exceptions are the computer account of the RODC and a special krbtgt account that each RODC has. You must explicitly allow any other credential caching on an RODC. The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different krbtgt account and password than the KDC on 24 Security and Policy Enforcement in Windows Server 2008 a writable domain controller uses when it signs or encrypts Ticket-Granting Ticket (TGT) requests. After an account is successfully authenticated, the RODC attempts to contact a writable domain controller at the hub site, and requests a copy of the appropriate credentials. The writable domain controller recognizes that the request is coming from an RODC and consults the Password Replication Policy in effect for that RODC. Password Replication Policy. The Password Replication Policy determines if a user's or computer's credentials can be replicated from the writable domain controller to the RODC. If the Password Replication Policy allows it, the writable domain controller replicates the credentials to the RODC, and the RODC will cache them. When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL) and determines if an RODC should be permitted to cache a password. Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support this capability: Domain RODC Password Replication Allowed Group. By default, the Domain RODC Password Replication Allowed Group has no members and the Allowed List attribute associated with it contains only the Domain RODC Password Allowed Group. Domain RODC Password Replication Denied Group. By default, this group contains the Enterprise Domain Controllers, Enterprise Read-Only Domain Controllers, Group Policy Creator Owners, Domain Admins, Cert Publishers, Enterprise Admins, Schema Admins, and Domain-wide krbtgt account. After the credentials are cached on the RODC, the RODC can directly service that user's logon requests until the credentials change. (When a TGT is signed with the krbtgt account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller has signed the TGT, the RODC will forward requests to a writable domain controller.) In the event that a RODC is decommissioned, all users whose credential as currently cached on the RODC will be prompted to change their passwords upon attempting to log in. By limiting credential caching to only users who have authenticated to the RODC, the potential exposure of credentials by a compromise of the RODC is also limited. This is because typically only a small subset of domain users has credentials cached on any given RODC. Thus, in the event that the RODC is stolen, only those credentials that are cached can potentially be cracked. Leaving credential caching disabled might further limit exposure, but would result in all authentication requests being forwarded to a writable domain controller. You Security and Policy Enforcement in Windows Server 2008 25 can modify the default Password Replication Policy to allow users' credentials to be cached at the RODC. Administrator role separation. You can delegate the local administrator role of an RODC to any domain user without granting that user any user rights for the domain or other domain controllers. This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver. However, the branch user cannot log on to any other domain controller or perform any other administrative task in the domain. In this way, the branch user can be delegated the ability to effectively manage the RODC in the branch office without compromising the security of the rest of the domain. 26 Security and Policy Enforcement in Windows Server 2008 BitLocker enhances data protection by uniting two major subfunctions: drive encryption and integrity checking of early boot components. Drive encryption protects data by preventing unauthorized users from breaking Windows file and system protection on lost, stolen, or inappropriately decommissioned computers. This protection is achieved by encrypting the entire Windows volume. With BitLocker all user and system files are encrypted, including the swap and hibernation files. Integrity checking the early boot components helps to ensure that data decryption is performed only if those components appear unmolested and that the encrypted drive is located in the original computer. BitLocker is tightly integrated into the operating system to provide a seamless, secure, and easily manageable data protection solution for the enterprise. For example, BitLocker optionally leverages an enterprise's existing Active Directory Domain Services infrastructure to remotely escrow recovery keys. BitLocker also has a disaster recovery console that is integrated into the early boot components to provide in-the-field data retrieval. Under default usage, BitLocker requires no end-user actions and even activation itself can be done remotely and automatically. Security and Policy Enforcement in Windows Server 2008 27 BitLocker offers the option to lock the normal boot process until the user supplies a personal identification number (PIN), much like an ATM card PIN, or inserts a USB flash drive that contains keying material. These additional security measures provide multifactor authentication and assurance that the computer will not boot or resume from hibernation until the correct PIN or USB flash drive are presented. This option is not recommended for use in a branch office scenario. BDE provides a wizard for setup and management, as well as extensibility and manageability through a Windows Management Instrumentation (WMI) interface with scripting support. Additionally, BDE simplifies computer recycling by dramatically speeding up the process of secure hardware decommissioning. The day-to-day use of a Windows Server 2008 Server or Windows Vista computer that is protected with BDE can be completely transparent to the user. In the event that system lockout occurs (perhaps through a hardware failure or as a result of a direct attack) BDE offers a simple, efficient recovery process. BDE Hardware and Software Requirements Operating System: Windows Server 2008. Windows Vista - Enterprise and Ultimate versions only. A TPM microchip, version 1.2 (turned on) and a Trusted Computing Group (TCG)compliant BIOS. The TPM interacts with BDE to help provide seamless protection at system startup. This is transparent to the user, and the user logon experience is unchanged. However, if the TPM is missing or changed, or if the startup information has changed, BDE will enter recovery mode, and you will need a recovery password to regain access to the data. For more information about TPM specifications, see the TPM Specifications section of the Trusted Computing Group's Web site (http://go.microsoft.com/fwlink/?LinkId=72757). Partitions. Two NTFS drive partitions, one for the system volume and one for the operating system volume. The system volume partition must be at least 1.5 gigabytes (GB) and set as the active partition. BIOS setting. The BIOS must be set to start up first from the hard drive, not the USB or CD drives. 28 Security and Policy Enforcement in Windows Server 2008 There are a number of enhancements to the public key infrastructure (PKI) in Windows Server 2008, including: Easier Management through PKIView. Originally part of the Microsoft Windows Server 2003 Resource Kit and called the PKI Health tool, PKIView is a Microsoft Management Console (MMC) snap-in for Windows Server 2008 which is used to analyze the health state of CAs, and to view details for CA certificates published in AD CS. PKIView provides a view of the status of the network's PKI environment. Having a view of all CAs and their current health states enables you to manage CA hierarchies and troubleshoot CA errors more easily and effectively. Specifically, PKIView indicates the validity or accessibility of authority information access (AIA) locations and certificate revocation list (CRL) distribution points (CDP). Certificate Web Enrollment. In Windows Server 2008, the ActiveX enrollment control has been replaced with a new COM enrollment control. Network Device Enrollment Service. The Network Device Enrollment Service (NDES) is Microsoft's implementation of the Simple Certificate Enrollment Protocol (SCEP), and used to be called Microsoft Simple Certificate Protocol (MSCEP). It makes it possible for software running on network devices such as routers and switches, which cannot otherwise be authenticated on the network, to enroll for x509 certificates from a certification authority (CA). In Windows Server 2003, MSCEP Security and Policy Enforcement in Windows Server 2008 29 was a Windows Server 2003 Resource Kit add-on that had to be installed on the same computer as the CA. In Windows Server 2008, it is part of the operating system and can be installed on a different computer than the CA. With NDES and SCEP, organizations can enhance the security by allowing network devices such as routers and switches to be authenticated. . Managing Certificates with Group Policy. In Windows Server 2008 Certificaterelated Group Policy settings can now be found in the Group Policy Object Editor, under Computer Configuration\Windows Settings\Security Settings\Public Key Policies. The following policy options can be managed under separate tabs on the Certificate Path Validation Settings properties sheet: Stores. Trusted Publishers. Network Retrieval. Revocation. In addition to the Enterprise Trust and Trusted Root Certification Authorities stores that were available in Windows Server 2003, four new policy stores have been added under Public Key Policies for use in distributing different types of certificates to clients: Intermediate Certification Authorities. Trusted Publishers. Untrusted Certificates. Trusted People. Certificate Deployment changes. User and computer certificates can be deployed by using a number of mechanisms, including auto-enrollment, the Certificate Request Wizard, and Web enrollment. In Windows Server 2003 it was possible to distribute trusted root CA certificate and enterprise trust certificates by using Group Policy. To provide you with a more efficient means of distributing the growing variety of certificates to users and computers in your organization, Windows Server 2008 allows all of the following types of certificates to be distributed through Group Policy: Trusted root CA certificates. Enterprise trust certificates. Intermediate CA certificates. Trusted publisher certificates. Untrusted certificates. Trusted people (peer trust certificates). 30 Security and Policy Enforcement in Windows Server 2008 Online Certificate Status Protocol (OCSP) support. OCSP responses and the use of Certificate Revocation Lists (CRLs) are two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an online responder only receives and responds to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. This capability is supported in Windows Server 2008. Cryptographic Next Generation. Cryptography Next Generation (CNG) provides a flexible cryptographic development platform allowing IT professionals to create, update, and use custom cryptography algorithms in cryptography-related applications, such as Active Directory Certificate Services (AD CS), Secure Sockets Layer (SSL), and Internet Protocol security (IPSec). CNG implements the U.S. government's Suite B cryptographic algorithms, which include algorithms for encryption, digital signatures, key exchange, and hashing. Security and Policy Enforcement in Windows Server 2008 31 Implementation/Usage Scenarios Enforce Security Policy Network Location Awareness (NLA). Network Location Awareness is built into the Operating System and monitors the network for any changes. The monitoring and constant awareness ensures that client computers and servers can more efficiently process group policies and respond quicker to slow or disconnected network segments. Network Location Awareness no longer depends upon ICMP (PING) for policy application, thereby speeding up the startup process for machines. It is also means that network border devices won’t inhibit the processing of policies by blocking ICMP. Network Access Protection (NAP). This new feature ensures compliance with specific health policies for systems accessing the network. Network access protection assists administrators in achieving and maintaining a specific health policy. Improve Domain Security Active Directory Domain Services Auditing. The Audit directory service access global audit policy controls auditing for directory service events to determine whether events are logged in the Security log when certain operations are carried out on objects in the directory. The improvements made to the Audit directory service 32 Security and Policy Enforcement in Windows Server 2008 access global audit policy in Windows Server 2008 improve your ability to monitor these changes. Server and Domain Isolation. With Windows Server 2008, you can logically isolate server and domain resources to limit access to authenticated and authorized computers. Enterprise PKI. There are a number of enhancements to the public key infrastructure (PKI) in Windows Server 2008 that will assist in improving security. Improve System Security BitLocker Drive Encryption (BDE). BDE ensures that data remains encrypted even if the computer is tampered with when the operating system is not running. This helps protect against "offline attacks," attacks made by disabling or circumventing the installed operating system, or made by physically removing the hard drive to attack the data separately. Windows Server Hardening. Windows Server 2008 hardens the operating system and protects the environment to provide a solid foundation for running and business applications and services. With Windows Service Hardening fewer services are running by default, and service accounts now have fewer privileges and limited network access. Improve Network Communications Security Windows Firewall and Advanced Security (WFAS). New features and improvements have been made to WFAS that make it an effective tool for protecting your computers. The new features and tools will assist you in the creation of firewall rules to control incoming and outgoing communications. Internet Protocol Security (IPSec). IPSec is now integrated with WFAS to make it simpler to implement IPSec. In addition, Windows Server 2008 includes a number of changes to IPSec which can assist you in tightening security of traffic flowing to and from systems throughout the enterprise. Security and Policy Enforcement in Windows Server 2008 Recommendations To get the most from the new security features in Windows Server 2008, administrators should: Carefully test and plan all security policies. Implement Network Access Protection. Use Windows Firewall and Advanced Security to implement IPSec. Implement Active Directory Domain Services Auditing. Deploy Read-Only Domain Controllers when physical security of the server cannot be guaranteed. Implement BitLocker Drive Encryption. Take advantage of improvements in Windows Server 2008 to improve your Enterprise PKI implementation. 33 34 Security and Policy Enforcement in Windows Server 2008 Summary Windows Server 2008 includes a variety of new security initiatives which provide new methods of security and policy enforcement, ensure integrity and confidentiality of data, and improve security of communications, including but not limited to: Network Access Protection. Windows Firewall and Advanced Security (WFAS) enhancements. IPSec improvements. Windows Server Hardening. Server and Domain Isolation. Active Directory Domain Services Auditing. Read-Only Domain Controllers (RODCs). BitLocker Drive Encryption. Removeable Device Installation Control. Improvements to Enterprise PKI. Security and Policy Enforcement in Windows Server 2008 35 36 Security and Policy Enforcement in Windows Server 2008 Network Access Protection Objectives At the end of this section, you will have learned the answers to the following questions: What is Network Access Protection? What are the benefits of Using NAP? When should I use NAP? What can I control with NAP? What are the methods used to enforce NAP? What are the components of NAP infrastructure? What are NAP policies? How are NAP policies configured? Security and Policy Enforcement in Windows Server 2008 37 Overview Network Access Protection Network administrators need a mechanism to ensure that any computer connecting to private network assets meets specific health policy requirements and has all requisite patches and hot fixes and other measures applied. This process, known as maintaining computer health, is one of the most time-consuming challenges any network administrator faces. Yet this complex task is made even more difficult when trying to maintain system health for users who connecting from home systems, partner computers and laptops that aren’t necessarily under the prevue of the administrator. These same computers could easily infect a network and cause catastrophic damage. Network Access Protection (NAP) for Windows Server 2008 and Windows Vista will provide this capability and has the requisite components and application programming interfaces required. Using NAP, an administrator can enforce specific compliancy health policies that must be met BEFORE the client computer can access any network resource and if the client computer cannot meet the health requirements, then they will not be allowed access. Examples of the types of health requirements might be having current antivirus signatures installed, proper Firewall configuration, Security Updates installed, or even group membership. This enforcement is done through the Network Policy Server which you will configure to meet your security and health policy requirements. 38 Security and Policy Enforcement in Windows Server 2008 While Network Access Protection is designed to maintain the health policy of computers, it cannot protect the network from malicious users. An authorized user using a computer that meets health requirements can still run malicious programs or perform actions detrimental to the network. In short, NAP will ensure that the computers accessing the network meet specific health requirements, but cannot control the behavior of the users. It is anticipated that NAP will be used in networks that have clients connecting through VPNs or other remote access methods or who have client computers that do not remain connected, such as laptop users. Network Access Protection vs. Network Access Quarantine Control There are some similarities between Network Access Protection (NAP) and Network Access Quarantine Control (NAQC) in that they are both used to help secure external access to the internal network. It is the mechanisms behind NAP and NAQC that define their difference. Network Access Quarantine Control is installed from the Windows Server 2003 Resource Kit or in Windows Server 2003 SP1/R2. NAQC protects the network from machines that are outside the network attempting to connect remotely, either from dial-up or VPN connections, and does not protect the network from clients who are connecting from the internally. A client computer attempting to connect remotely that does not meet specified health criteria in NAQC will be quarantined. An administrator must manually create the network policy requirement scripts that are used to compare the client computer against the defined network policy. Security and Policy Enforcement in Windows Server 2008 Technical Background Network Access Protection consists of several components and architecture models that work in conjunction to provide security for the network. The infrastructure of NAP supports the different servers required to validate, remediate and provide health certificates. The enforcement methods used by NAP (802.1x, DHCP, VPN, NPS RADIUS and IPSec) provide flexibility in determining the appropriate method for securing client access to your network. The following slides will provide technical details regarding: NAP Infrastructure. NAP Platform Architecture. NAP Enforcement Methods. NAP Client Architecture. NAP Server Architecture. Component Communication. 39 40 Security and Policy Enforcement in Windows Server 2008 There are four distinct and important parts to Network access Protection: Automatic Remediation, Health Policy Validation, Health Policy Compliance and Limited Access. Automatic Remediation. Connecting computers will automatically receive required updates. This process will allow a noncompliant computer that is in limited access to receive required updates in order to become compliant. Health Policy Validation. A computer attempting to connect will have its current health status is validated against the health policies defined by an administrator. If a computer is not in compliance, an administrator can place the computer in a monitoring-only environment or in a restricted access environment In a Monitoring only environment, all computers are granted access, even if they do not meet defined health compliance standards, though their compliance status is logged. In a restricted access environment any computer that does not meet compliance standards or is not compatible with Network Access protection will only be granted access to a restricted network. A computer that meets compliance standards will be granted unlimited access (dependent on permissions and other group policies). In either situation, if a computer is NAP compatible, than it will be automatically updated with required settings. Security and Policy Enforcement in Windows Server 2008 41 Health Policy Compliance. Non-compliant computers will automatically be updated to meet NAP requirements. Any missing files will be updated through a software management program such as Microsoft Systems Management Server or Systems Operations Center. If a computer is not in compliance, an administrator can place the computer in a monitoring-only environment or in a restricted access environment. In a Monitoring only environment, all computers are granted access and will receive any required updates. Computers can access the network before they receive any updates. In a restricted access environment any computer that does not meet compliance standards will have only have limited access until the computer has received all required updates. As with Health Policy Validation, as long as a computer is NAP compatible, it will be automatically updated with required settings. Limited Access. In a limited Access Environment the administrator will specify what computers have limited access based on non-compliance with Health Policies. An administrator can specify limited access by time duration, a specific network segment, or a specific resource. 42 Security and Policy Enforcement in Windows Server 2008 The platform architecture for NAP consists of the following components: NAP Clients. Client computers that can use the Network Access Protocol for secure communications and using 802.1X, DHCP, IPSec or VPN connections. NAP Servers. A computer running Windows Server 2008 and uses a Network Policy Server (NPS). The Network Policy Server is used to determine the system health of any connecting NAP clients. It will also determine if access to the network is allowed, if communication is permitted and what type of (if any) remediation actions are required for computers that are not compliant. Health Registration Authority VPN Server DHCP Server NPS Servers. The Network Policy Server is the replacement for the Internet Authentication Service (IAS). NPS runs on a computer running Windows Server Windows Server 2008 and validates system health policy compliance and network access. Policy Servers. Computers that provide current system health state for Network Policy Servers. Security and Policy Enforcement in Windows Server 2008 43 Active Directory Directory Service. Group Policy settings for IPSec-based communications and VPN and 802.1X credentials are stored in the directory service for connection validation. Restricted Network. This is a separate network segment (logical or physical) that contains the Remediation Servers. A Remediation server will provide the updates needed by non-compliant computers when in a limited access state. Remediation Server. A remediation server maintains the resources, services, that are accessed by non-This is a server or servers on which resources reside that noncompliant clients can use to come into compliance. The remediation servers are available on the restricted network so that noncompliant clients that are not allowed full network access. The remediation server provisions the NAP client with the required updates to bring it into compliance with health policy Health Certificate Server. The Health Certificate Server is responsible for issuing X.509 certificates to quarantined clients once they have met system health validation requirements System Health Agent. The System Health Agent (SHA) is a specific, defined system health requirement or a set of health requirements. The System Health Agent can be configured to check for a particular health parameter and can be matched to a specific remediation server. The System Health Agent will send a Statement of Health (SoH) to the appropriate System Health Validator (SHV). System Health Validator. The System Health Validator server will compare the Statement of Health sent from a System Health Agent against the configured quarantine policy. If there is a match, then the specific check made by the SHA is compliant with the network security policy. Based on the check made by the System Health Validator, a Statement of Health Response (SoHR) message is sent to the Quarantine server stating whether the system is or is not in compliance with the required health state and any remediation instructions. The quarantine server is responsible for garnering responses from each of the SHVs and determines which machines, if any need to be quarantined. The System Health Validator runs on the NPS server. Statement of Health. A Statement of health is the response sent by a System Health Agent to a System Health Validator. A common misconception is that the quarantine is some sort of empty black hole in cyberspace. The fact is that the quarantine network is anything but empty. While an SMS server must be accessible from within Quarantine Mode, there are other components that must be accessible from Quarantine Mode as well. For starters, the quarantine network must have a DNS server. Keep in mind, though, that this server can simply be a forwarding DNS server; it doesn't have to be the organization’s primary DNS server. Finally, the DHCP server and IAS server (VPN Quarantine Mode only) must be accessible whether a machine is quarantined or not. Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been updated. 44 Security and Policy Enforcement in Windows Server 2008 In a typical scenario, a Network Access Protection Enforcement Client will request access to the network. The actual NAP server must be running Windows Server 2008 and clients must be running Windows Vista. This request is passed along to a NAP server which will indicate whether the access is limited or unlimited. The following are methods of NAP Client enforcement: Internet Protocol Security (IPSec). IPSec Enforcement uses a Health Registration Authority (HRA) to issue an X.509 certificate to clients with limited access once they are in compliance with health policy requirements. The issued certificate is used to authenticate NAP clients when initiating or requesting IPSec communications. The IPSec NAP EC is the most secure of the limited network access protection measures in NAP. IEEE 802.1X authenticated connections. The 802.1X Enforcement method uses a Network Policy Server and an EAPHost NAP Enforcement Client (EC). When a non-compliant client tries to connect to an access point, the NPS sends a message to the access point telling it to place a restricted access profile on the 802.1X client until it is on compliance. Virtual Private Networks (VPN). The VPN Enforcement method consists of a VPN NAP Enforcement Server (ES) component and a VPN NAP EC component. When a client computer attempts to connect remotely using VPN to the network, the VPN Security and Policy Enforcement in Windows Server 2008 45 server will validate the health policy of the compute. VPN Enforcement provides strong limited network access for all computers accessing the network through a VPN connection. Dynamic Host Configuration Protocol (DHCP). DHCP Enforcement comprises DHCP NAP ES and DHCP NAP EC components. Using DHCP Enforcement, DHCP servers can check and enforce health policy requirements any time a computer attempts to lease or renew an IP address configuration on the network. Using DHCP Enforcement is the easiest of the enforcement measures to deploy due to the fact that all DHCP client computers must lease and renew IP addresses at some point. One drawback to DHCP Enforcement is that it is the weakest form of limited network access because DHCP Enforcement relies on entries in the IP routing table. NPS/RADIUS. The Remote Authentication Dial-In User Service component of Network Policy Service is the only Enforcement measure that does not have its own NAP Enforcement Server or Enforcement Client component. Instead, NPS/RADIUS works as a policy server in conjunction with the NAP ES and NAP EC components. Administrators must define system health requirements in the form of policies on the NPS server. Network Policy Servers provide health policy checks and coordinate with the Active Directory Directory Service any time a client computer attempts to obtain a health certificate or to connect to an 802.1X access point, a VPN server, or a DHCP server. When using NPS/RADIUS, you must add a RADIUS client for each access device or NAP server that requires NAP health determination. You do this through the NAP Radius Client Wizard. 46 Security and Policy Enforcement in Windows Server 2008 In this demonstration, you will see how to create NAP policies Windows Server 2008. Key Points Your instructor will demonstrate the following: Creating NAP policies Use the MMC to create Client NAP Configuration settings Create a new RADIUS client Create new System Health Validators for Windows Vista and Windows XP SP2 Security and Policy Enforcement in Windows Server 2008 The following sections will discuss the following with respect to NAP: Logical Networks IPSec Enforcement IEEE 802.1X Remote Access VPNs DHCP 47 48 Security and Policy Enforcement in Windows Server 2008 Enforcement of IPSec is done through dividing the physical network into three distinct logical networks. A computer can be a member of but one logical network at any one time. The logical networks created for IPSec enforcement are done so based on the current state of connecting computers. Some computers will have health certificates and others which require IPSec authentication with health certificates for incoming communication attempts. The three logical networks created enable computers to be placed into limited access areas with access to remediation and still provide compliant computers with a level of protection from noncompliant computers. IPSec Enforcement defines the following logical networks: Secure Network. This comprises the computers that have valid health certificates, require that incoming communication attempts authenticate with health certificates, and share a common set of IPSec policy settings for providing IPSec protection. Boundary Network. The Boundary network is where computers that posses health certificates and do not require incoming communication attempts be authenticated with health certificates and use IPSec protection. Restricted Network. This set of computers do not have health certificates. They have not completed health checks, are guests, or are not NAP-capable computers such as computers running versions of Windows that do not support NAP, Apple Macintosh computers, or UNIX-based computers. Security and Policy Enforcement in Windows Server 2008 49 Using one of the three types of logical networks (secure, boundary and restricted) communication using IPSec between these different areas occurs: Within the Secure Network. Health compliant computers within a secure network have health certificates. The two computers will validate the health certificates of the other. IPSec authentication is successful and subsequent data traffic is protected with IPSec. The result is authenticated peers and protected traffic. Secure Network to Boundary Network. A computer trying to communicate with another computer in the boundary network will use IPSec authentication using its own health certificate. Computers in the boundary network have valid health certificates and will validate the health certificates of the other. IPSec authentication is successful and subsequent data traffic is protected with IPSec. The result is authenticated peers and protected traffic. Secure Network to Restricted Network. A computer trying to communicate with another computer in the restricted network will attempt to use IPSec authentication using its own health certificate. Computers in the restricted network do not have health certificates and IPSec communication will fail. Communication to this logical network will be unsecure. 50 Security and Policy Enforcement in Windows Server 2008 Within the Boundary Network. A computer trying to communicate with another computer in the boundary network will use IPSec authentication using its own health certificate. Computers in the boundary network have valid health certificates and will validate the health certificates of the other. IPSec authentication is successful and subsequent data traffic is protected with IPSec. Boundary Network to Secure Network. A computer trying to communicate with another computer in the secure network will use IPSec authentication using its own health certificate. Computers in the boundary network have valid health certificates and will validate the health certificates of the other. IPSec authentication is successful and subsequent data traffic is protected with IPSec. Boundary Network to Restricted Network. A computer trying to communicate with another computer in the restricted network will attempt to use IPSec authentication using its own health certificate. Computers in the restricted network do not have health certificates and IPSec communication will fail. Communication to this logical network will be unsecure. Within the Restricted Network. Computers in the restricted network are either not NAP clients or are NAP clients that do not have a health certificate. Computers in the restricted network do not have health certificates and IPSec communication will fail. Communication within this logical network will be unsecure. Restricted Network to Boundary Network. When a computer in the restricted network initiates unprotected communication with a computer in the boundary network, the boundary network computer allows the unprotected communication and responds with unprotected traffic because the boundary network computer does not require IPSec protection for incoming communication requests. The result is unauthenticated peers and unprotected traffic when a computer in the restricted network initiates communication with a computer in the boundary network. Restricted Network to Secure Network. This will only lead to dropped or failed communications as the computers in the restricted network are not using IPSec. Security and Policy Enforcement in Windows Server 2008 51 A health certificate is obtained to validate the compliance of a computer with the health policy. A computer will need to obtain a health certificate and become a member of the secure or boundary networks. A NAP client using IPSec Enforcement using the following process: When the computer starts, the host-based firewall is enabled but does not allow any exceptions so that no other computer can initiate communications with it until it is in compliance or is blocked. At this point, the computer is in the restricted network because it does not have a health certificate to validate compliance. The computer can communicate with other computers in the restricted and boundary networks and can access the Internet. However, it cannot initiate communications with computers in the secure network until it has received a health certificate. NAP client obtains network access and an IP address configuration. The IPSec NAP EC on the NAP client creates an HTTPS secure communication channel with the HRA. The IPSec NAP EC sends its credentials, a certificate request for a health certificate, and its list of SoHs to the HRA over the HTTPS channel. The HRA passes the list of SoHs to the NPS server as RADIUS vendor-specific attributes (VSAs) in a RADIUS Access-Request message. 52 Security and Policy Enforcement in Windows Server 2008 The NPS server receives the RADIUS Access-Request message, extracts the list of SoHs from the RADIUS VSAs, and passes the list of SoHs to the NAP Administration Server component. The NAP Administration Server receives the list of SoHs and forwards the SoHs to the appropriate SHVs. Each SHV analyzes the contents of the SoH passed by the NAP Administration Server and then constructs and sends a Statement of Health Response (SoHR) to the NAP Administration Server component. The NAP Administration Server passes the list of SoHRs to NPS. NPS compares the list of SoHRs to a configured set of network access and system health policies and then makes a limited/unlimited network access decision. NPS constructs and sends a RADIUS Access-Accept message containing the System Statement of Health Response (SSoHR)—indicating whether the client has limited or unlimited network access—and the list of SoHRs as RADIUS VSAs. The HRA sends the SSoHR and the list of SoHRs back to the IPSec NAP EC on the NAP client. If the NAP client is compliant, the HRA obtains a health certificate from the existing public key infrastructure (PKI) and sends it to the NAP client. If the NAP client is issued a health certificate via the HRA, it adds that certificate to its computer certificate store. If the IPSec policy settings have not already been configured, the IPSec NAP EC configures IPSec settings to authenticate using the health certificate for IPSec-based communications. The IPSec NAP EC configures the host-based firewall to allow incoming communications from any peer that uses a health certificate for IPSec authentication. The NAP client is now a member of the secure network. The IPSec NAP EC performs steps 3-12 whenever new SoH information arrives at the NAP Agent or when the health certificate is about to expire. NAP Client IPSec-based is Noncompliant If the IPSec-based NAP client is not in compliance or does not have a health certificate it cannot initiate communication with computers in the secure network. The noncompliant NAP client performs the following remediation process to become a member of the secure network: The IPSec NAP EC passes the list of SoHRs to the NAP Agent. The NAP Agent forwards the SoHRs to the appropriate SHA. Each SHA analyzes its SoHR, and based on the contents, performs the remediation as needed to correct the NAP client's system health state. After an SHA has performed the remediation function, it passes an updated SoH to the NAP Agent. The NAP Agent collects the updated SoHs from all of the SHAs that required remediation, creates a new list of SoHs, and passes it to the IPSec NAP EC. Security and Policy Enforcement in Windows Server 2008 53 The IPSec NAP EC establishes a new HTTPS secure session with the HRA and sends the new list of SoHs. The HRA receives the list of SoHs and sends them to the NPS server. The NPS server receives the list of SoHs and passes them to the NAP Administration Server. The NAP Administration Server receives the list of SoHs, and assuming that it has not already cached the SoHRs, forwards the SoHs in the list to the appropriate SHVs. The SHVs analyze the contents of the SoH passed by the NAP Administration Server and then construct and send an SoHR to the NAP Administration Server, The NAP Administration Server passes the list of SoHRs to NPS. NPS compares the list of SoHRs to a configured set of network access and system health policies and then makes an unlimited network access decision. NPS constructs and sends a RADIUS Access-Accept message containing the SSoHR and the list of SoHRs. The HRA receives the RADIUS Access-Accept message, extracts the SSoHR and the list of SoHRs, and sends them to the NAP client over the HTTPS session. Because the NAP client is now compliant, the HRA obtains a health certificate and sends it to the NAP client. 54 Security and Policy Enforcement in Windows Server 2008 Network Access Protection provides enforcement for the following technologies in Windows Vista and Windows Server Windows Server 2008: IPSec IEEE 802.1X VPN connections DHCP Administrators can use these technologies separately or together to limit the network access of noncompliant computers. NPS acts as a policy server for all of these technologies. Overview and Capabilities IPSec support in NAP consists of a Health Registration Authority (HRA) and an IPSec NAP EC on NAP clients. The HRA is a computer running Windows Server "Windows Server 2008" and Internet Information Services (IIS). The HRA obtains X.509 certificates from a certification authority (CA) for NAP clients when the NPS server has determined the clients to be compliant. NAP clients use health certificates for IPSec authentication when they initiate IPSec-protected communications with other NAP clients on an intranet. Health certificates can also be used for IEEE 802.1X authentication or by applications. If a NAP client does not have a health certificate, the IPSec peer Security and Policy Enforcement in Windows Server 2008 55 authentication fails and the NAP client cannot initiate communication with a compliant IPSec peer. IPSec Enforcement confines the communication on your network to those computers that are considered compliant and protects network traffic from end-to-end, rather than just across a network connection. By leveraging IPSec and its configuration flexibility, IPSec Enforcement allows to you to define requirements for secure communications with compliant clients on a per-IP address or per-TCP or User Datagram Protocol (UDP) port number basis. For example, you could specify IPSec policy settings to secure all Remote Procedure Call (RPC) traffic, subject to IPSec Enforcement. IPSec Enforcement is the strongest and most flexible form of limited network access in Network Access Protection. IPSec Enforcement vs. VPN and DHCP Enforcement VPN Enforcement limits the access of noncompliant VPN clients that are attempting to access a private intranet through a VPN connection. DHCP Enforcement limits the access of noncompliant DHCP clients that are attempting to obtain a valid IP address configuration. In both of these cases, the access to a restricted network is based on a client-server relationship and implemented at the server through which network access or configuration is being requested. For VPN Enforcement, the VPN server enforces the limited network access of noncompliant VPN clients. For DHCP Enforcement, the DHCP server provides settings that limit the access of noncompliant DHCP clients. With IPSec Enforcement, the communication attempt is made from end-to-end, rather from a specific type of client to a specific type of server. Unlike VPN and DHCP Enforcement, IPSec Enforcement is enforced by each individual computer, rather than at the point of entry into the network. Additionally, the determination of client health is performed via the HRA, a computer that is separate from the computer to which communication is being attempted. IPSec Enforcement limits the access of noncompliant clients that are attempting to communicate after network access to the intranet has been successfully made and after a valid IP address configuration has been allocated. IPSec Enforcement limits communication for IPSec-based NAP clients by dropping incoming communication attempts that are sent from computers that do not have health certificates. Using IPSec Enforcement with Existing IPSec Protection IPSec Enforcement can be used in conjunction with the following IPSec deployment scenarios: Secure server, Server isolation, and Domain isolation. Secure Server. When implementing an IPSec secure server deployment use the IPSec policy to provide protection for traffic sent between specific sets of servers, such as the traffic sent between database servers or domain controllers. IPSec Enforcement can be deployed in conjunction with a secure server deployment so that a combination of IPSec policy settings and NAP policy settings ensure that the servers remain healthy and use IPSec to protect traffic sent between them. 56 Security and Policy Enforcement in Windows Server 2008 Server Isolation. An IPSec server isolation deployment uses IPSec policy to provide protection for traffic sent between all domain members and a specific set of servers, such as the traffic sent between database client computers that are domain members and database servers. IPSec Enforcement can be deployed in conjunction with a server isolation deployment so that a combination of IPSec policy settings and NAP policy settings ensure that the domain members and specific sets of servers remain healthy and communication with compliant NAP client computers on a per-server or per-application basis is protected with IPSec. Domain Isolation. An IPSec domain isolation deployment uses IPSec policy to provide protection for traffic sent between all domain members, including all client and server computers. IPSec Enforcement can be deployed in conjunction with a domain isolation deployment so that a combination of IPSec policy settings and NAP policy settings ensure that domain members remain healthy and that traffic sent between domain members is authenticated with domain credentials, a health certificate, or both and is protected with IPSec. For more information on Server and Domain Isolation see: http://www.microsoft.com/technet/network/sdiso/default.mspx Security and Policy Enforcement in Windows Server 2008 57 IEEE 802.1X Enforcement instructs an 802.1X-capable access point to use a limited access profile, either a set of IP packet filters or a virtual LAN identifier (VLAN ID), to limit the traffic of the 802.1X-based noncompliant client so that it can reach only resources on the restricted network. For IP packet filtering, the 802.1X-capable access point applies the IP packet filters to the IP traffic that is exchanged with the 802.1X client and silently discards all packets that do not correspond to a configured packet filter. For VLAN IDs, the 802.1X-capable access point applies the VLAN ID to all of the packets exchanged the 802.1X client and the traffic does not leave the VLAN corresponding to the restricted network. To indicate its health state, an 802.1X NAP client can use one of the following: List of SoHs In this case, the EAPHost NAP EC sends its list of SoHs using a PEAP-TLV message in a manner equivalent to that for VPN-based connections. A health certificate In this case, the EAPHost NAP EC sends its health certificate. By sending a health certificate, the NPS server does not have to check the list of SoHs and determine the health state of a connecting client. If the health certificate is valid, the client is compliant. Using a health certificate is the recommended method of health validation for 802.1X connections. 58 Security and Policy Enforcement in Windows Server 2008 The following process occurs when a NAP-capable 802.1X client connects to an 802.1X access point and sends its list of SoHs for health validation: Ether the 802.1X access point or the 802.1X client initiates 802.1X authentication using the EAP over LAN (EAPOL) protocol. The NPS server sends an EAP-Request/Identity message to the EAPHost NAP EC on the 802.1X client. The EAPHost NAP EC responds with an EAP-Response/Identity message that contains the user or computer name of the 802.1X client. The NPS server sends an EAP-Request/Start PEAP message to the 802.1X client. The 802.1X client and the NPS server exchange a series of TLS messages to negotiate an encrypted TLS channel. The NPS server sends a request for the list of SoHs to the 802.1X client using a PEAP-TLV message. The EAPHost NAP EC queries the NAP Agent for the list of SoHs. The EAPHost NAP EC passes the list of SoHs to the NPS server using a PEAP-TLV message. The NPS server requests that the 802.1X client authenticate itself using its user or computer credentials, using a PEAP authentication method such as PEAP-MS-CHAP v2. The 802.1X client authenticates itself against the NPS server using the negotiated PEAP authentication method. The NPS component on the NPS server extracts the list of SoHs from the PEAP-TLV message sent in step 9 and passes it to the NAP Administration Server component. The NAP Administration Server component passes the SoHs in the list of SoHs to the appropriate SHVs. The SHVs analyze the contents of the SoH passed by the NAP Administration Server and send an SoHR to the NAP Administration Server. The NAP Administration Server passes the list of SoHRs to NPS. NPS compares the list of SoHRs to a configured set of network access and system health policies and then makes a limited/unlimited network access decision. NPS sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the 802.1X client. NPS sends a RADIUS Access-Accept message containing the SSoHR to the 802.1X access point. If the 802.1X connection is limited, the RADIUS Access-Accept message also contains an access profile to limit the traffic of the 802.1X client to the restricted network. Security and Policy Enforcement in Windows Server 2008 59 If the 802.1X connection is unlimited, the RADIUS Access-Accept message does not contain an access profile to limit network access. After the 802.1X connection completes, the NAP client will have unlimited network access. The 802.1X client and 802.1X access point complete the 802.1X connection. The following process occurs when a NAP-capable 802.1X client connects to an 802.1Xcapable access point and sends its health certificate for health validation: Either the 802.1X access point or the 802.1X client initiates 802.1X authentication using EAPOL. The 802.1X NAP client uses PEAP and a configured PEAP authentication method to perform user or computer authentication to gain access to the network. The EAPHost NAP EC sends its health certificate to the NPS server using a PEAPTLV message. NPS sends a PEAP-TLV message containing the SSoHR to the 802.1X client. NPS sends a RADIUS Access-Accept message containing the SSoHR to the 802.1X access point. If the health certificate is not valid, the RADIUS Access-Accept message also contains a limited access profile. If the health certificate is valid, the RADIUS Access-Accept message does not contain a limited access profile. After the 802.1X connection completes, the NAP client will have unlimited network access. The 802.1X client and 802.1X access point complete the 802.1X connection. Noncompliant 802.1X - based NAP Client If the 802.1X NAP client is noncompliant, the 802.1X connection has the limited access profile applied and the client can reach only resources on the restricted network. The process of remediation and obtaining unlimited access to the network will depend on whether the 802.1X NAP client is using a list of SoHs or a health certificate for health validation. The following process performs the remediation required for unlimited network access when the NAP client is using a list of SoHs: The EAPHost NAP EC extracts the list of SoHRs in the PEAP-TLV message received from the NPS Server and passes it to the NAP Agent. The NAP Agent passes the SoHRs to the appropriate SHAs. Each SHA analyzes its SoHR, and based on the contents, performs the remediation as needed to correct the NAP client's system health state. After the SHA has performed the remediation function, it passes an updated SoH to the NAP Agent. The NAP Agent collects the updated SoHs from all of the SHAs that required remediation, creates a new list of SoHs, and passes it to the EAPHost NAP EC. 60 Security and Policy Enforcement in Windows Server 2008 The EAPHost NAP EC restarts 802.1X authentication and sends its list of SoHs for health validation. Health validation succeeds and the 802.1X client has unlimited network access. The following process performs the remediation required for unlimited network access when the NAP client is using a health certificate: The EAPHost NAP EC sends a certificate request with its list of SoHs to the HRA. The HRA passes the list of SoHs to the NPS server for evaluation. The NPS server sends the list of SoHRs to the HRA. The HRA sends the list of SoHRs to the EAPHost NAP EC. The EAPHost NAP EC extracts the list of SoHRs and passes it to the NAP Agent. The NAP Agent passes the SoHRs to the appropriate SHAs. Each SHA analyzes its SoHR, and based on the contents, performs the remediation as needed to correct the NAP client's system health state. After the SHA has performed the remediation function, it passes an updated SoH to the NAP Agent. The NAP Agent collects the updated SoHs from all of the SHAs that required remediation, creates a new list of SoHs, and passes it to the EAPHost NAP EC. The EAPHost NAP EC sends a new certificate request with its list of SoHs to the HRA. The HRA sends the list of SoHs to the NPS server. The NPS server evaluates the list of SoHs and sends back an SSoHR indicating unlimited access to the HRA. The HRA sends a new health certificate to the 802.1X client. The 802.1X client restarts 802.1X authentication and sends its new health certificate for health validation. Health validation succeeds and the 802.1X client has unlimited network access. VPN Connections VPN Enforcement uses a set of remote access IP packet filters to limit the traffic of the VPN client so that it can reach only resources on the restricted network until validated. The VPN server applies the IP packet filters to the IP traffic that is received from the VPN client and silently discards all packets that do not correspond to a configured packet filter. The following process occurs when a NAP-capable VPN client connects to a NAPcapable VPN server: The VPN client initiates a connection to the VPN server using either Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol with Internet Protocol Security (L2TP/IPSec). Security and Policy Enforcement in Windows Server 2008 61 The VPN NAP ES on the VPN server (a component of Routing and Remote Access) sends an EAP-Request/Identity message to the VPN NAP EC on the VPN client. The VPN NAP EC on the VPN client (a component of the Remote Access Connection Manager service) responds with an EAP-Response/Identity message that contains the user name of the VPN client. The VPN NAP ES on the VPN server sends the EAP-Response/Identity message as a RADIUS Access-Request message to the NPS server. For all subsequent PEAPbased messages, the logical communication occurs between the NPS server and the VPN NAP EC on the VPN client, using the VPN server as a pass-through device. Messages between the VPN server and the NPS server are a series of RADIUS Access-Request, Access-Challenge, and Access-Accept messages. The NPS server sends an EAP-Request/Start PEAP message to the VPN client. The VPN client and the NPS server exchange a series of TLS messages to negotiate an encrypted TLS channel. The NPS server sends a request for the list of SoHs to the VPN client using a PEAPTLV message. The VPN NAP EC queries the NAP Agent for the list of SoHs. The VPN NAP EC passes the list of SoHs to the NPS server using a PEAP-TLV message. The NPS server requests that the VPN client authenticate itself using its client credentials, using a PEAP authentication method such as PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2). The VPN client authenticates itself to the NPS server using the negotiated PEAP authentication method. The NPS component on the NPS server extracts the list of SoHs from the PEAP-TLV message sent in step 9 and passes it to the NAP Administration Server component. The NAP Administration Server component passes the SoHs in the list of SoHs to the appropriate SHVs. The SHVs analyze the contents of the SoH passed by the NAP Administration Server and then construct and send an SoHR to the NAP Administration Server. The NAP Administration Server passes the list of SoHRs to NPS. NPS compares the list of SoHRs to a configured set of network access and system health policies and then makes a limited/unlimited network access decision. NPS constructs and sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the VPN client. NPS sends a RADIUS Access-Accept message containing the SSoHR to the VPN server. 62 Security and Policy Enforcement in Windows Server 2008 If the VPN connection is limited, the RADIUS Access-Accept message also contains a set of IP packet filters that limit the traffic of the VPN client to the restricted network. If the VPN connection is unlimited, the RADIUS Access-Accept message does not contain IP packet filters to limit network access. After the VPN connection completes, the NAP client will have unlimited network access. The VPN client and VPN server complete the VPN connection. Noncompliant VPN-based NAP Client If the VPN client is noncompliant, the VPN connection has the packet filters applied, and the VPN client can reach only resources on the restricted network. The following process performs the remediation required for unlimited network access: The VPN NAP EC extracts the list of SoHRs in the PEAP-TLV message received from the NPS Server and passes it to the NAP Agent. The NAP Agent passes the SoHRs to the appropriate SHAs. Each SHA analyzes its SoHR, and based on the contents, performs the remediation as needed to correct the NAP client's system health state. After the SHA has performed the remediation function, it passes an updated SoH to the NAP Agent. The NAP Agent collects the updated SoHs from all of the SHAs that required remediation, creates a new list of SoHs, and passes it to the VPN NAP EC. The VPN NAP EC passes the list of SoHs to the NPS server using a PEAP-TLV message. The NPS component on the NPS server extracts the list of SoHs from the PEAP-TLV message and passes it to the NAP Administration Server component. The NAP Administration Server component passes the SoHs in the list of SoHs to the appropriate SHVs. The SHVs analyze the contents of the SoH passed by the NAP Administration Server and then construct and send an SoHR to the NAP Administration Server. The NAP Administration Server passes the list of SoHRs to NPS. NPS compares the list of SoHRs to a configured set of network access and system health policies and then makes a limited/unlimited network access decision. NPS constructs and sends a PEAP-TLV message via the VPN server containing the SSoHR and the list of SoHRs to the VPN client. NPS constructs and sends a RADIUS Access-Accept message to the VPN server containing the SSoHR and does not include IP packet filters for limited network access. Security and Policy Enforcement in Windows Server 2008 63 Upon receipt of the RADIUS Access-Accept message, the VPN server removes the IP packet filters from the VPN connection and the VPN client has unlimited network access. DHCP IP Address Configuration DHCP IP address configuration limits network access for the DHCP client through its IP routing table. The DHCP Enforcement sets the DHCP Router option value to 0.0.0.0, so the noncompliant computer does not have a configured default gateway and cannot gain egress to the secure network. DHCP Enforcement also sets the subnet mask for the allocated IP address to 255.255.255.255, so that there is no route to the attached subnet. To allow the noncompliant computer to access the remediation servers on the restricted network, the DHCP server assigns the Classless Static Routes DHCP option, which contains a set of host routes to the computers on the restricted network, such as the DNS and remediation servers. The end result of DHCP limited network access is a configuration and routing table that allows connectivity only to specific destination addresses. Therefore, when an application attempts to send to a unicast IPv4 address other than those supplied via the Classless Static Routes option, the TCP/IP protocol returns a routing error. Notes DHCP Enforcement is for IP version 4 (IPv4) only and does not limit the network access of IP version 6 (IPv6)-based DHCP clients. Because DHCP Enforcement is based on entries in the IPv4 routing table, it cannot prevent a malicious user who is a local administrator from manually changing the IPv4 routing table and gaining unlimited network access. The following process occurs when a NAP-capable DHCP client attempts to obtain an IPv4 address configuration from a NAP-capable DHCP server: The DHCP NAP EC on the NAP client (a component of the DHCP Client service) queries the NAP Agent component for the list of SoHs. The NAP Agent, which has cached the SoHs from the installed set of SHAs, responds to the DHCP NAP EC with the list of SoHs. The DHCP Client service constructs and sends a DHCPDiscover message. Contained within the DHCPDiscover message is the list of SoHs in one or more Microsoft vendor-specific DHCP options. The DHCP Server service on the NAP-enabled DHCP server receives the DHCPDiscover message. The DHCP NAP ES on the DHCP server (a component of the DHCP Server service) extracts the list of SoHs from the DHCPDiscover message and sends the list of SoHs to the NPS server as RADIUS vendor-specific attributes in a RADIUS Access-Request message. The NPS server receives the RADIUS Access-Request message, extracts the list of SoHs from the RADIUS vendor-specific attributes, and passes the list of SoHs to the NAP Administration Server component. 64 Security and Policy Enforcement in Windows Server 2008 The NAP Administration Server receives the list of SoHs and forwards the SoHs to the appropriate SHVs. The SHVs analyze the contents of the SoH passed by the NAP Administration Server and then construct and send an SoHR to the NAP Administration Server. The NAP Administration Server passes the list of SoHRs to NPS. NPS compares the list of SoHRs to a configured set of network access and policies and then makes a limited/unlimited network access decision. NPS constructs and sends a RADIUS Access-Accept message containing the System Statement of Health Response (SSoHR)—indicating whether the client has limited or unlimited network access—and the list of SoHRs as RADIUS vendor-specific attributes. The DHCP server receives the RADIUS Access-Accept message, extracts the SSoHR and the list of SoHRs, and reformats them as DHCP vendor-specific options. The DHCP server sends a DHCPOffer message containing an IPv4 address configuration. The DHCP client sends a DHCPRequest message requesting the offered IPv4 address configuration. The DHCP server sends a DHCPAck message containing the offered IPv4 address configuration, the SSoHR, and the list of SoHRs as one or more Microsoft vendorspecific DHCP options. If the NAP client is compliant, the DHCPAck message contains the Router DHCP option set to the correct default gateway, a subnet mask for the subnet to which the NAP client is attached, and does not contain the Classless Static Routes option. At this point, the NAP client has unlimited network access. Noncompliant DHCP-based NAP Client If the NAP client is noncompliant, the DHCPAck message that contains the Router DHCP option will be set to 0.0.0.0, the Subnet Mask option set to 255.255.255.255, and the Classless Static Routes option contains the set of static host routes to resources on the restricted network. The following process performs the remediation required for unlimited network access: The DHCP NAP EC passes the list of SoHRs to the NAP Agent. The NAP Agent passes the SoHRs to the appropriate SHAs. Each SHA analyzes its SoHR, and based on the contents, performs the remediation as needed to correct the NAP client's system health state. After the SHA has performed the remediation function, it passes an updated SoH to the NAP Agent. The NAP Agent collects the updated SoHs from all of the SHAs that required remediation, creates a new list of SoHs, and passes it to the DHCP NAP EC. Security and Policy Enforcement in Windows Server 2008 65 The DHCP NAP EC sends the DHCP server a DHCPRequest message to renew its current IPv4 address configuration containing the list of SoHs. The DHCP Server service on the NAP-enabled DHCP server receives the DHCPRequest message. The DHCP NAP ES component of the DHCP Server service extracts the list of SoHs from the DHCPRequest message and sends the list of SoHs to the NPS server as RADIUS vendor-specific attributes of a RADIUS AccessRequest message. The NPS server receives the RADIUS Access-Request message, extracts the list of SoHs from the RADIUS vendor-specific attributes, and passes the list of SoHs to the NAP Administration Server. The NAP Administration Server receives the list of SoHs, and assuming that it has not already cached the SoHRs, it forwards the SoHs in the list to the appropriate SHVs. The SHVs analyze the contents of the SoH passed by the NAP Administration Server and then construct and send an SoHR to the NAP Administration Server, The NAP Administration Server passes the list of SoHRs to NPS. NPS compares the list of SoHRs to a configured set of network access and system health policies and then makes a limited/unlimited network access decision. NPS constructs and sends a RADIUS Access-Accept message containing the SSoHR indicating unlimited network access and the list of SoHRs as RADIUS vendorspecific attributes. The DHCP server receives the RADIUS Access-Accept message, extracts the SSoHR and the list of SoHRs, and reformats them as DHCP vendor-specific options. The DHCP server sends a DHCPAck message with the Router DHCP option set to the correct default gateway, a subnet mask for the subnet to which the NAP client is attached, and does not contain the Classless Static Routes option. The DHCP client now has a renewed IPv4 address configuration for unlimited network access. 66 Security and Policy Enforcement in Windows Server 2008 Authentication Processing A Network Policy Server in Windows Server 2008 can be used as either a RADIUS server or a RADIUS proxy. When NPS is used as a RADIUS server: RADIUS Access-Request messages are authenticated through the Active Directory directory service, a Windows NT Server 4.0 domain, or through the local Security Accounts Manager (SAM). They are authorized with the user or computer account properties and authorization policies. RADIUS Accounting-Request messages are logged in a local log file or a Microsoft SQL Server 2000 or Microsoft SQL Server 2005 database based on accounting settings. When NPS is used as a RADIUS proxy: Access-Request messages are forwarded to another RADIUS server for authentication and authorization. Accounting-Request messages are logged in a local log file or a Microsoft SQL Server 2000 or Microsoft SQL Server 2005 database (based on accounting settings) and forwarded to another RADIUS server for accounting. Security and Policy Enforcement in Windows Server 2008 67 System Health Validators are server software counterparts to System Health Agents (SHAs) - each SHA on the client has a corresponding SHV in NPS. SHVs allow NPS to verify the statement of health (SoH) that is made by its corresponding SHA on the client computer. SHVs contain the details of the required configuration settings on client computers. For example, the Windows Security SHV is the counterpart to the Microsoft SHA on client computers. The Windows Security SHV allows you to create a policy for how various settings on NAP-capable client computers must be configured. If the settings on the client computer as reported in the SoH do not match the settings in the SHV on the NPS server, the client computer is not compliant with health policy. System Health Validator Templates. System Health Validator Templates allow you to define client health policies in NPS by adding one or more SHVs to the template. After an SHV template is configured with one or more SHVs, you can add the SHV template to the settings of a network policy that you want to use to enforce NAP when client computers connect to your network. Using Multiple System Health Validators in a Template. The Windows Security SHV is included by default in NPS. Third party companies might also provide additional SHV and SHA pairs for their NAP-compatible products. In any circumstance where you want to use a NAP-compatible product, you can follow the product's documentation to install the SHA on NAP-capable client computers, and then install the SHV on the NPS server. After you have installed the SHV on the NPS server, you can configure the SHV and then add the SHV to an SHV template. After your template is configured with the SHVs you want to use, you can add the SHV template to a network policy. Remediation Server Group. A Remediation Server Group is a list of servers on the restricted network that provide the resources (software, patches and other solutions) necessary to bring noncompliant NAP-capable clients into compliance with administrator-defined client health policy. A remediation server hosts the updates that NAP agent can use to bring noncompliant client computers into compliance with health policy as defined in NPS. For example, a remediation server can host antivirus signatures. If health policy requires that client computers have the latest antivirus definitions installed, an antivirus SHA, an antivirus SHV, an antivirus policy server, and the remediation server used to host the antivirus signatures work in concert to update non-compliant computers. Authorization Policies Authorization policies are an ordered set of rules that define how connection attempts are either permitted or rejected. Rules will contain a policy type (either grants or denies access), one or more conditions and policy settings. If a connection is authorized, the authorization policy settings can specify a set of connection restrictions. For NAP, 68 Security and Policy Enforcement in Windows Server 2008 authorization policies specify the conditions to check for health requirements and, for noncompliant NAP clients or NAP-ineligible clients, the enforcement behavior. Authorization Policy Conditions for Network Access Protection. For NAP support, the following conditions have been added to Network Policy Server authorization policies: System Health Validator (SHV) Templates. This condition specifies a previously configured System Health Validator (SHV) template. If the evaluation of the health settings of a connection attempt matches the template, then the connection attempt matches this condition of the policy. NAP-Capable Computers. This condition specifies whether the client is or is not NAP-capable. The following are examples of using these conditions for NAP-based authorization policies: For an authorization policy that applies only to compliant NAP-capable clients and pass all of the health requirements of the installed SHVs, specify the following condition: Set SHV Templates to the "Compliant" (example name) template, which specifies the Client passes all SHV checks option. For an authorization policy that applies only to noncompliant NAP-capable clients that fail any of the health requirements of the installed SHVs, specify the following condition: Set SHV Templates to the "Noncompliant" (example name) template, which specifies the Client fails one or more SHV checks option. For an authorization policy that applies only to NAP-ineligible clients, specify the following condition: Set NAP-capable computers to Only computers that are not NAP-capable. Authorization Policy Type for NAP. Because NAP health validation is being done for connection attempts that are also authenticated and authorized, you select the Grant access policy type. The connection attempt is authorized, but the network access of noncompliant NAP clients or NAP-ineligible clients is limited to the restricted network. You can create authorization policies that will explicitly deny access; however, these authorization policies do not need NAP settings as it is not necessary to validate the system health of a computer that is not allowed access. Authorization Policy Settings for NAP. Authorization policies in Windows Server 2008 have a set of Network Access Protection settings for NAP Enforcement, Remediation Servers, and Troubleshooting URL. Security and Policy Enforcement in Windows Server 2008 69 Implementation/Usage Scenarios One of the many benefits of using Network Access Protection is in its flexibility and support. One of the drawbacks on Network Access Quarantine Control was in its lack of support for third party software. This is not the case with NAP. Most third party software can be used with Network Access Protection as long as the third party software provides System Health Agents (SHAs) and System Health Validators (SHVs) capabilities. Some common scenarios where using NAP would prove beneficial: Checking the Health and Status of Roaming Laptops. Laptops that are not connected to the corporate network might not have the latest virus signatures files or hot fixes installed. As a consequence, the laptop may have been infected or been compromised while disconnected and presents a possible viable threat when reconnected to the corporate network. Ensuring the Health of Corporate Desktop Computers. Users of corporate desktop systems might have installed untested and possibly infected software or compromised their systems through other means. These systems should have the latest patches and virus signature files installed in response to threats from viruses and Trojans and this process should be seamless to the user while still maintaining appropriate security and controls 70 Security and Policy Enforcement in Windows Server 2008 Determining the Health of Visiting Laptops. Laptops brought in by external entities (clients, consultants or external partners) present a viable concern. These systems, even though they are authorized access, are still a threat until they meet health compliance. There is no certainty that they have been properly patched and have current anti-virus signatures. Verify the Compliance and Health of Unmanaged Home Computers. Providing remote access to users at home poses a huge threat to corporate networks. Most home users do not properly patch and protect their computers and may have numerous vulnerabilities, Trojans and malware running without their knowledge. The other challenge with allowing access from home computers is the inability to have direct physical access to these machines in order to secure them. By using NAP, administrators can restrict home users from directly accessing the network until their home systems meet approved health compliance standards. Security and Policy Enforcement in Windows Server 2008 71 Recommendations Configure Enforcement for each of the types, IPSec, 802.1X, VPN, DHCP (if applicable) Design in your network the three logical segments (secure, boundary and restricted) to facilitate IPSec support in NAP Detailed testing of NAP, Policies and restricted networks to ensure all security goals are met Use SHA wisely. Rigorously test all third-party SHAs and SHVs before deploying in a production network 72 Security and Policy Enforcement in Windows Server 2008 Summary Network Access Protection is a new initiative to limit the access of connecting computers until they are compliant with system health requirements. Network Access Protection includes client and server components. Administrators can configure IPSec Enforcement, 802.1X Enforcement, VPN Enforcement, DHCP Enforcement, or all of them, depending on their network needs. Network Access Protection provides an infrastructure and an API, which vendors and software developers can use to build their own health requirements validation and network access limitation components that are compatible with Network Access Protection Security and Policy Enforcement in Windows Server 2008 73 74 Security and Policy Enforcement in Windows Server 2008 Hands-On Lab Security and Policy Enforcement in Windows Server 2008 What Next? 75
