Net access protection in Win Server'08

BANGALORE, INDIA: The biggest challenge for any network admin is to identify and restrict machines not complying with security standards from entering the network. To meet this challenge most organizations either ban the unauthorized machines from accessing the network or allow them only after a process of manual screening. But both these options seem non-realistic, in terms that the first can cause loss of productivity and the second would consume hell lot of administrative time.

So, to solve such issues Windows Server 2008 is coming up with NAP or Network Access Protection. Here the complete process of screening the machines entering the network is automated and driven by customizable policies. The machine is granted access to the network if and only if it passes all the screening tests. These tests can include a check for Firewall status (on or off), Antivirus Status (installed and updated or not), Windows Updates (on or off), Phishing Filter (on or off), etc.

Not only screening but a NAP server along with a remediation server can even go ahead and turn the settings on or off depending on the policies before letting the machine enter the network.

So, for example, if your laptop's Firewall is disabled and you try entering a network protected by NAP, it will automatically enable the firewall before letting it enter the network. In this article we will see how to install NAP and ensure that no machine without Firewall, Antivirus, and Anti-phishing enters the network.

Pre-requisites
Of course the first thing which you will require is a machine running Windows Server 2008 Beta 32- or 64-bit version. Next is a client with either Windows XP SP3 Beta or Windows Vista. This is because NAP requires an agent called the SVA or Security Validation Agent to be installed on the client machines and this agent is only available with either Windows XP SP3 Beta or Vista. Microsoft is also planning to release some agents for non-Microsoft OSs, but they are still in the pipeline. So till then live with Windows XP SP3 or Windows Vista.

Installation
Once you are done with the pre-requisites, the installation is actually very simple. All you have to do is go to the 'Server Manager' ?> Roles ?> Add Roles. A new wizard appears. Here select the Network Policy and Access Services and follow the wizard till it asks you for Role Services. Now select all the available services and continue. Once you process you'll see a new Window which asks you to provide a Certification Authority. Select the first option 'Install a local CA to issue health certificates for the HRA server.' Proceed till it asks you to choose a Server Authentication Certificate for SSL Encryption. Now select the second option 'Create a self-signed certificate for SSL encryption' and proceed. Click on next till the wizard finishes and starts the installation process.

Configuring DHCP

For this, configure the DHCP server on a machine which supports NAP. Of course the best option would be to install it on the same machine where the NAP server is running. So first install the DHCP role from the 'Server Management' interface. The installation is very simple. Just select the DHCP role and keep clicking the next option till the installation ends.

Once done, from the Administrative Tools open the DHCP MMC and create a new scope for your network. We are not covering the configuration of DHCP here as we presume our readers would know how to do so. After the required changes right click on the Scope and click on the property option. A new Window pops up. Now go to the Network Access Protection tab and click on the radio buttons 'Enable for this scope' and 'Use default Network Access Protection profile' under Network Access Protection Settings. Apply the changes and restart your DHCP server.

Configuring NAP
Now comes the most important part. For configuring NAP policies go to Administrative Tools and click 'Network Policy Server' option. From the left pane of the new Window, click NPS (local) option. At the center of the Window is a drop-down menu called 'Select a Configuration Scenario,' here select the Network Access protection (NAP) option. Now click on the option 'Configure NAP,' just below the drop-down menu. At the first page of the new wizard, expand the drop-down menu and select DHCP and press Next. Keep pressing Next with the default values until the wizard ends. Once done, your NAP policies for the DHCP server are ready.

The only thing you have to do is to set the System Health Validator settings. Essentially, here you need to define the reasons for the machines to be either granted access or denied to join the network. To configure it, click and expand the NAP option at the left pane of the window. Now click on the System Health validator option. Double click on Windows System Health validator option at the center top of the window. A new window appears. Next, click on the configure option. In the next window you see two tabs: one for configuring the SHV settings of Windows XP and the other for Windows Vista.

From here you can select and define the cases to which SHV will deny or grant access to the machines joining the network. So, for instance, if you select the checkbox which says 'A firewall is enabled for all network connections' then only those machines with a firewall enabled will get access to the network. Same is applicable for Virus Protection, Spyware protection, and Updates. Once you select the desired settings close this Window and your NAP is ready to be used.

You can configure NAP at different protocol levels. For instance it can work with VPN, Dial-in Connection, DHCP, Terminal Server Gateways, etc, but here we are going to use it via DHCP. We configure a DHCP server, which has NAP capability, and a NAP server to validate the requests coming to the DHCP server and allow the DHCP server to give IPs to only those machines which pass the NAP policies.