Implementing simple Network Access Protection for Windows Server 2008

The installation process for Network Access Protection in Windows Server 2008 is easier than you think. Learn the basics of implementing NAP in your environment.

You may be familiar with the potential benefits of Microsoft's new Network Access Protection (NAP) capabilities available with Windows Server 2008. NAP leverages the Network Policy Server role service -- along with other components -- to require that computers attempting to join the network meet certain established standards of health. That health can be based on firewall settings, antivirus and anti-malware configurations, the level of patches installed to the machine and other factors.

While NAP's ability to protect your environment from unhealthy computers is a huge benefit, there's a good chance that some administrators are still confused about how to implement it.

NAP can protect a network across five potential enforcement mechanisms, and some are more challenging to implement than others. Of the five, integrating Network Access Protection with Dynamic Host Configuration Protocol (DHCP) is arguably the easiest configuration. The DHCP enforcement mechanism requires clients to pass a health check before grabbing an address from the DHCP server. In order to do that, you'll need a Windows Server 2008 system to operate as both a NAP and DHCP server. Windows Vista and Windows XP Service Pack 3 clients can each participate.

At least it's something

In this example, we'll take a look at the simplest of NAP installations to get you started. The first step is to create a global group in your domain. Into this global group you'll add the computers that must pass a health check before they receive a DHCP address. Enforcing health checks in this manner allows you to exclude machines that you aren't interested in or that may not be able to participate.

NAP can protect a network across five potential enforcement mechanisms, and some are more challenging to implement than others.

Assuming that you've already moved DHCP services over to Windows Server 2008, the next step is to prepare it for Network Access Protection support. In the DHCP Server console, right-click the scope of interest and view its properties. On the Network Access Protection tab, click the radio button that enables NAP for this scope. Next, right-click Scope Options and choose Configure Scope Options. Under the Advanced tab, set the drop-down boxes for DHCP Standard Options and Default User Class. Fill out options three, six and 15 with network information that is appropriate for your environment. Then change the User Class to Default Network Access Protection Class. Once again fill out options three, six and 15, but this time change option 15 to read restricted.yourDomainName.com. By doing this, you are instructing DHCP to hand a different DNS suffix to unhealthy clients.

Next, add the Network Policy and Access Services (NPAS) role along with the Network Policy Server (NPS) role service to your DHCP server. In the NPAS console, click the NPS (Local) link. Then, in the right pane under Standard Configuration, click the link for Configure NAP. This launches a wizard used for Network Access Protection's initial configuration. In its first screen, set the Network Connection Method to DHCP. In this simple example, you can accept the defaults for each of the subsequent screens. For a production installation, additional granularity can be set either within the wizard or later within the NPAS console.

System Health Validators (SHVs) are used to determine which areas of health are to be monitored. Figure 1 shows an example of the default Windows SHV. To modify the default SHV in the NPAS console, navigate to the System Health Validators node and double-click the Windows SHV followed by the Configure button. For this example, unselect every option with the exception of the checkbox for the Windows Firewall. This will prevent computers that don't have the firewall enabled from receiving a DHCP address.

Figure 1

Remediation servers exist in the restricted network for automatically "fixing" unhealthy clients. In our example, we'll use our domain controller as a remediation server, which gives it the job of enabling the firewall for any noncompliant clients attempting to get a DHCP address. You can enable this in the NPAS console by navigating to Policies | Network Policies and double-clicking the NAP DHCP Noncompliant item in the right pane. This item tells NAP what to do when it discovers a computer is noncompliant.

Next, click NAP Enforcement under its Settings tab. You'll see in the right pane that noncompliant computers are allowed only limited access to our restricted network as assigned by the DHCP server. You'll also see that default clients will be auto-remediated. Click the Configure button, and in the resulting window, click the New Group button. Create a new group and add a domain controller to it. This identifies the DC as the remediation server.

More on security with Windows Server 2008

Windows PowerShell: A backdoor to malware?

Easing security concerns with Server Core

Video: Breaking down the RODC with Windows 2008

The next step is to configure the client's Network Access Protection service via Microsoft Group Policy. Three settings are important here. First, navigate to Computer Configuration | Policies | Windows Settings | Security Settings | System Services and set the Network Access Protection Agent startup to Automatic. This "force-enables" the client agent. You must also turn on the Security Center at Computer Configuration | Policies | Administrative Templates | Windows Components | Security Center.

Lastly, under Computer Configuration | Policies | Windows Settings | Security Settings | Network Access Protection | NAP Client Configuration | Enforcement Clients, enable the DHCP Quarantine Enforcement Client, then go back up to NAP Client Configuration, right-click and choose Apply. Once complete, attach the Group Policy Object to the domain and configure its Security Filtering to apply to only the global group you created in the very beginning.

Once Group Policy begins to apply to client machines, you can test your configuration by disabling a client's firewall. You'll see a balloon pop-up telling you that the computer does not meet the requirements of the network. In a few seconds, auto-remediation kicks in and automatically restarts the firewall to bring the computer back into compliance.

This is an exceptionally simple example using only a single network instead of remanding noncompliant clients to a segregated quarantine network for remediation. So your mileage will vary. But as you'll see in clicking through the menus, Windows Server 2008's Network Access Protection has a rich set of options for turning the knobs to the specific configuration you want.

Greg Shields, MVP, is a co-founder and IT guru with Concentrated Technology, with nearly 15 years of IT architecture and enterprise administration experience. He is an IT trainer and speaker on such IT topics as Microsoft administration, systems management and monitoring, and virtualization. His recent book Windows Server 2008: What's New/What's Changed is available from Sapien Press.

Dig Deeper on Windows Server troubleshooting