70-411: AdministeringWindows Server 2012

Chapter 4Configure a Network Policy Server

Infrastructure

Objective 4.1: Configuring a Network

Policy Server

© 2013 John Wiley & Sons, Inc. 3

RADIUS TermsNetwork Policy Server (NPS): Microsoft’s

RADIUS server. Authorization: The process that determines

what a user is permitted to do on a computer system or network.

RADIUS client: A server or device that forwards RADIUS requests to a RADIUS server.

Access client: A computer or device that contacts or connects to a RADIUS client, which requires authentication and authorization to connect.

© 2013 John Wiley & Sons, Inc. 4

A Network with RADIUS

RADIUS servers and clients

© 2013 John Wiley & Sons, Inc. 5

Configuring RADIUS Server InfrastructuresMultiple RADIUS server configurations:• Primary RADIUS server and alternate

RADIUS servers• A RADIUS proxy located between the

RADIUS server and the RADIUS clients

© 2013 John Wiley & Sons, Inc. 8

Configuring RADIUS Accounting

© 2013 John Wiley & Sons, Inc. 10

Using Password-Based Authentication

• The network access server passes the username and password to the NPS server.

• The NPS server verifies the credentials against the user account database.o Processed from the most secure (Microsoft

Challenge-Handshake Authentication Protocol v2 or MS-CHAPv2) to the least secure (unauthenticated access) of those enabled options.

• For stronger security, use certificate authentication or multi-factor authentication.

© 2013 John Wiley & Sons, Inc. 11

Using Certificates for Authentication

• Much stronger than password-based authentication methods

• Certificates are:o Customized using certificate templateso Issued using a Certificate Authority

• If smart cards are used, certificates must include:o Smart Card Logon purposeo Client Authentication purpose

Objective 4.2: Configuring NPS Policies

© 2013 John Wiley & Sons, Inc. 14

Network Policy Server (NPS) Policies

•Specifies which RADIUS servers perform authentication, authorization, and accounting

Connection Request

•Specifies who is authorized to connect to the network and circumstances under which they can or cannot connect

Network

•Establishes system health validators (SHVs) and other settings that define client computer configuration requirements for NAP-capable computers

Health

© 2013 John Wiley & Sons, Inc. 15

Configuring Connection Request

PoliciesConnection request polices are based on a range of factors such as: • The time of day and day of the week• The realm name in the connection request• The type of connection requested• The IP address of the RADIUS client

© 2013 John Wiley & Sons, Inc. 18

Configuring Network Policies

An NPS network policy evaluates remote connections based on these three components:• Conditions• Constraints• Settings

© 2013 John Wiley & Sons, Inc. 20

Encryption Options• Basic Encryption (MPPE 40-Bit): For dial-up and PPTP-

based VPN connections, MPPE is used with a 40-bit key. For L2TP/IPsec VPN connections, 56-bit DES encryption is used.

• Strong Encryption (MPPE 56-Bit): For dial-up and PPTP VPN connections, MPPE is used with a 56-bit key. For L2TP/IPsec VPN connections, 56-bit DES encryption is used.

• Strongest Encryption (MPPE 128-Bit): For dial-up and PPTP VPN connections, MPPE is used with a 128-bit key. For L2TP/IPsec VPN connections, 168-bit Triple DES encryption is used.

• No Encryption: This option allows unencrypted connections that match the remote access policy conditions. Clear this option to require encryption.

© 2013 John Wiley & Sons, Inc. 21

IP AddressingIP settings include these options:• Server Must Supply An IP Address• Client May Request An IP Address• Server Settings Determine IP Address

Assignment (the default setting)• Assign A Static IP Address

Objective 4.3: Configuring Network Access Protection (NAP)

© 2013 John Wiley & Sons, Inc. 24

Network Access Protection (NAP)

• NAP is Microsoft’s software for controlling network access for computers based on the health of the host.

• NAP can be used on any computer that runs Windows and supports NAP.

• Types of computers that connect to a network: o Desktop computerso Roaming laptopso Unmanaged home computerso Visiting laptops

© 2013 John Wiley & Sons, Inc. 25

NAP Built-In Enforcement Methods

DHCP IPsec

VPN 802.1x

Remote Desktop Gateway (RD

Gateway)

© 2013 John Wiley & Sons, Inc. 26

DHCP EnforcementTo control network access, DHCP enforcement sets the following:• DHCP Router option is set to 0.0.0.0 so

noncompliant computers do not have a configured default gateway.

• Subnet mask is set to 255.255.255.255 so that there are no routes to the attached subnet.

© 2013 John Wiley & Sons, Inc. 27

NAP Architecture Components

NAP client-side components

NAP enforcement points

NAP health policy server

System Health Agents (SHAs)

© 2013 John Wiley & Sons, Inc. 28

NAP Architecture Components (cont.)

Statement of Health (SoH)

NAP Agent

Health Registration Authority (HRA)

Health requirements server

Remediation servers

© 2013 John Wiley & Sons, Inc. 30

System Health Validators

• System Health Validators (SHVs) settings define the requirements for client computers that connect to your network.

• You configure SHVs using the Network Policy Server console.

• Windows 8 includes a Windows Security Health Validator SHA that monitors the Windows Security Center settings.

• Windows Server 2012 includes a corresponding Windows Security Health Validator SHV.

© 2013 John Wiley & Sons, Inc. 31

Configuring System Health Validators

SHV options:• Firewall Settings• Antivirus Settings• Spyware Protection Settings• Automatic Updates Settings• Security Updates Settings

© 2013 John Wiley & Sons, Inc. 32

Configuring Health Policies

• Health policies consist of one or more system health validators and other settings that enable you to define client computer configuration requirements for the NAP-capable computers that attempt to connect to your network.

• Health policy pairs:o NAP-complianto NAP-noncompliant

© 2013 John Wiley & Sons, Inc. 33

Configuring Health Policies

NAP enforcement settings:• NAP DHCP-compliant: Allow full network

access.• NAP DHCP-noncompliant: Allow limited

access.• NAP DHCP nonNAPcapable properties:

Allow full network access.

© 2013 John Wiley & Sons, Inc. 34

Configuring Isolation and Remediation

• If a computer is noncompliant, it should be isolated from production network.

• When you configure NAP, you can configure either a monitor only policy or an isolation policy.

© 2013 John Wiley & Sons, Inc. 35

Configuring Isolation and Remediation

Remediation servers typically consist of:• DHCP servers to provide IP configuration• Naming servers including DNS servers and

WINS servers• Active Directory domain controllers (read-

only domain controllers are recommended to minimize security risks)

• Internet proxy servers so that noncompliant NAP clients can access the Internet

© 2013 John Wiley & Sons, Inc. 37

Configuring NAP Client Settings

• You can use the Enable Security Center in the Group Policy procedure to enable Security Center on NAP-capable clients using Group Policy.

• Some NAP deployments that use Windows Security Health Validator require Security Center.

• Open the Services console to start and set the startup type to Automatic in the Network Access Protection Agent service.