10/15/2008
Windows Server 2008
Network Policy and Access Services (NPAS)
 Protecting our network
 A method of controlling users environment to the network
o implement logical and physical network segmentation
o use of firewalls and funneling remote access through VPN
o use of Terminal Services and Citrix
 Use of NAP – Network Access Protection
NAP – Network Access Protection
NAP is an overall solution that lets administrators quarantine hosts
that come onto the network until they have passed a series of defined
“health checks”.
NAP Components
 IPSec enforcement
Authentication using X.509 - standard formats for public key certificates,
certificate revocation lists, attribute certificates, and a certification path
validation algorithm.
 802.1X enforcement
port-based Network Access Control isolation through IP filters or virtual
LAN or VLAN segmentation
 VPN enforcement
Virtual Path Name. A computer network in which some of the links
between nodes are carried by open connections or virtual circuits in some
larger network (e.g., the Internet) instead of by physical wires.

Dynamic Host Configuration Protocol - DHCP
A network protocol that enables a server to automatically assign an IP
address to an individual computer's TCP/IP stack software. DHCP assigns
a number dynamically from a defined range of numbers (i.e., a scope)
configured for a given network.
1
10/15/2008

Network Policy Server – NPS
NPS replaces Internet Authentication Service (IAS). Microsoft
implementation of RADIUS (Remote Authentication Dial-In User Service)

NAP Agent
A client used to collect information from all System Health Agent (SHA)
and transmit that information to the NAP Enforcement Clients

System Health Agent (SHA)
Evaluates component in terms of health – the ultimate know-it-all
 NAP administrator server
Decide whether to grant access or place client to into remediation state

System Health Validator (SHV)
Determine whether client is healthy or not
 Health policy
Define requirements for getting access to the protected network

Accounts database Health Registration Authority (HRA)
Central account information
 Remediation server
Reinstate non-compliance server into compliance server
2
10/15/2008
Windows Server 2008 editions and NPS
NPS provides different functionality depending on the edition of Windows
Server 2008 that you install:

Windows Server 2008 Enterprise and Windows Server 2008 Datacenter.
- NPS included
- Can configure unlimited number of RADIUS clients and remote RADIUS
server groups.
- Can configure a group of RADIUS clients by specifying an IP address range.

Windows Server 2008 Standard. This server edition includes NPS.
- NPS inclded
- Can configure a maximum of 50 RADIUS clients and a maximum of two
remote RADIUS server groups.
- Can define a RADIUS client by using a fully qualified domain name or an IP
address, but you cannot define groups of RADIUS clients by specifying an IP
address range. If the fully qualified domain name of a RADIUS client resolves
to multiple IP addresses, the NPS server uses the first IP address returned in
the Domain Name System (DNS) query.

Windows Web Server 2008.
This server edition does not include NPS.
Upgrade from Windows Server 2003
You can upgrade a server running Windows Server 2003 and IAS to Windows
Server 2008 and NPS. During the upgrade process, the server configuration is preserved.
Myths about NAP



Not a bulletproof method. Doesn’t mean you have 100% protection
Cannot protect you from malicious user
It doesn’t have anything to do with users other than authentication
3