Transcript Jayson Ferron CIO Interactive Security Training WSV206 Windows Clients and Windows Server 2008 NAP: Why they are better together In the talk you see why.

Jayson Ferron
CIO
Interactive Security Training
WSV206
Windows Clients and Windows Server 2008 NAP:
Why they are better together
In the talk you see why using the built functionality
of Windows in both the client and server makes a
compelling argument for introducing this
technology into your company
We will explore the required services and
configurations that an administrator needs to
understand in planning NAP
We will cover new features that are in Windows 7
and Server 2008 r2
What is Network Access Protection (NAP)
Protect from Malware threats
We will talk about
using malware prevention technologies, how NAP
provides centralized definition, integration, and
enforcement of system health requirements to help
prevent the exposure to malware on a private network
What is required to Setup NAP
What’s new With Windows 7 and Server 2008
With demos along the way
Network Access Protection Overview
The NAP platform requires servers running Windows Server
2008 or later and NAP-aware clients:
Windows XP SP3 and later
Windows Server 2008 and later
Additional Hardware Switched network that supports 802.1X
Set of operating system components that provide a platform
for system health-validated access to networks
An architecture through which policy validation, network
access limitation, automatic remediation, and ongoing
compliance can occur
Additional components supplied by third-party software
vendors or Microsoft
Why NAP
We do not trust users to install all patches and
updates as required and need to Verify that
system are in compliance
Do the systems have:
current anti-virus software?
current anti-spyware?
current corporate-approved patches?
host-based statefull enabled?
What other configuration settings are required for
adherence to the organization’s security policies?
NAP is an Additional Layer in
Network Security
Network Access Protection is not a silver bullet for
network security
NAP is about stopping the next big virus or
vulnerability by ensuring clients are well maintained
and isolated if deemed unhealthy
NAP is not designed for:
blocking unauthorized users
rogue machine control
software distribution control
NAP is a flexible health control solution that is reliant
on other mechanisms to solve these issues
NAP Walkthrough
Untrusted Network
Boundary
Network
Secure
Network
DHCP
Here it is.
May I have a health
certificate? Here’s my SoH.
Client
You
don’t
gethealth
a health
certificate.
Here’s
your
certificate.
Go fix up.
I need updates.
CA
Issue
me
a health
Client
OK?
certificate.
HRA
Accessing the network
Yes.Needs
Issue fix-up.
No.
health certificate.
X

NPS
Here you go.
Remediation Server
NAP Components
Platform
Components
Enforcement
Components
Health Components
System Health
Agents
= Declare
(patch
state,
virusnetwork
signature,
system
configuration,
etc.).
Agent
(QA)(SHA)
= Reports
clienthealth
status,
coordinates
between
SHAdevice(s);
and
QEC. DHCP, VPN,
Quarantine
Enforcement
Clients
(QEC)
=health
Negotiate
access
with
access
1X, IPSec QECs.
Quarantine
Server
(QS) ==(SHV)
Restricts
client’sdeclarations
network
access
on what
SHV certifies.
System
Validators
= Certify
madebased
byendpoints.
health
agents.
NetworkHealth
Access
Devices
Provide
network
access to
healthy
Health
RequirementAuthority
Servers ==Define
requirements
system
components.
Health Registration
Issueshealth
certificates
to clientsfor
that
pass health
checks.
Remediation Servers = Install necessary patches, configurations, applications. Bring
clients to healthy state.
Health Requirement
Servers
Remediation Servers
Health Policy
Updates
Client
Health
Statements
SHA<n>
Health Result
Health Certificate
NAP
Agent
QEC
1
Network
Access
Requests
QEC
2
Health Registration
Authority
Network
Policy
Server
SHV<n>
Network Policy Server
System Health Agent Options
Allows for multiple configurations of SHA deployments
Windows SHA
Antivirus settings
Antispyware settings
Firewall settings
Windows Updates Settings
System Center Configuration Manager 2007 (SCCM) SHA
Patch Management
Forefront Client Security (FCS) SHA
3rd party SHAs
SoH Renewal Processing
Client SoH is revalidated when:
Health certificate approaches 80% of validity time
Network state changes
Changes in client configuration detected by an SHA
Group policy is updated
How NAP Integrates with IPsec
NAP evaluates computer health and issues a
“health certificate” through a
Health Registration Authority (HRA)
Compliant hosts receive a health certificate
Noncompliant hosts are denied
Non NAP-capable hosts receive “health exemption”
certificates through AutoEnrollment
IPsec policy is configured to require health
certificate for Tunnel and/or Transport Mode
Can be combined with optional
user-level authentication
NAP Components
Network Policy Server (NPS)
Certification Authority (CA)
Health Registration Authority (HRA)
NAP Agent with IPSec Relying Party
Health Registration Authority
The Health Registration Authority (HRA) is used to
issue health certificates to clients that satisfy
health checks
Web service receiving requests from the NAP clients
HRA is a new Windows Server 2008 or Windows Server
2008 R2 role
Health certificates are regular X.509 certificates with
a very short lifetime (on the order of hours)
System Health Authentication OID in the certificate
Network Policy Server
Network Policy Server (NPS) is used by the HRA
to validate the SoH
NPS receives computer credentials and SOH from
HRA using RADIUS protocol
SoH is evaluated by SHVs running on the NPS server,
and results matched against the Health policies
Network policies are then used to authorize or
deny network connection requests
Network Policy Options
Allow full network access
Allow full network access for limited time
Enforcement is deferred until a later date
Limited network access
Access is restricted to remediation servers
Network Policy Server (NPS)
Name
Title
Company
Certification Authority
Issues health certificates for NAP-compliant machines
Certificate Authority requirements:
Enterprise or standalone subordinate CA under
a trusted Root CA
Windows Server 2003 or later
Recommended that dedicated health
certificate-issuing CAs are deployed
No revocation is typically required due to short
certificate lifetime
High volume of certificates issued could impact other
services also relying on the CA
IPsec Relying Party
The IPsec Relying Party is a component of the
NAP Agent that obtains a health certificate from
the Health Registration Authority (HRA)
Also interacts with the following:
Certificate store: Stores the health certificate
IPSec components in Windows: Ensures that
health certificates are used for
IPSec-based communication
Host-based firewall (such as Windows Firewall):
Ensures that IPSec-protected traffic is allowed
by the firewall
Health Registration Authority
(HRA) Configuration
Exposed to the Internet to receive health information
and issue certificates to external clients
Forefront TMG/UAG can be used to securely publish HRA
web services
Forwards requests to internal NPS and CA servers
NPS proxy installed on the HRA servers
Multiple HRAs load balanced for high availability
Use of HRA Discovery to publish HRA information
using DNS
Network Policy Server
(NPS) Configuration
NPS servers configured in the internal network,
receiving the RADIUS requests from the HRAs
Multiple NPS servers configured in Server Group for
high availability
Configuration stored locally, use scripts
to replicate
Configure NPS logging
Allows logging to text files or database (ODBC)
Best practice is to log to local database, replicate to
central SQL repository
Certification Authority
(CA) Configuration
Microsoft Certificate Services required
Can be configured either as Stand-Alone or Enterprise CA
Requires security permissions to enable HRA to
request and manage certificates
Also certificate template permissions for Enterprise CAs
Best practice is to dedicate CA to Health Certificates
Volume of certificate requests would overwhelm existing
CAs and make certificate database management hard
Windows Server 2008 R2 CA allows non-persisted
certificate requests
NAP Client Configuration
Enable NAP Agent service and IPsec Relying
Party
Configure HRA URLs
Install and enable SHAs
For Windows SHA, turn on Security Center
Configure IPSec policy to use health certificates
NAP Health Exemptions
Use AutoEnrollment to enroll “Health
Exemption” certificates to systems exempt from
NAP compliance
Define group for DA clients exempt from NAP
Create certificate template with the following attribute:
Custom application policy – “Server Health”
OID = “1.3.6.1.4.1.311.47.1.1”
Grant enroll and autoenroll permissions to group
Remediation Servers
Any service that needs to be available to clients for
remediation to happen
Depend on what SHAs are being used by organization
Remediation Servers need to be reachable from
unhealthy clients
Publish remediation servers externally to the Internet
Use separate DA server and IPv6 subnet for remediation
servers
Require additional (non-health) client certificate to secure access to
remediation subnet
New for Windows 7 and
Windows Server 2008 R2
Network Policy Server (NPS) new
features in Windows Server 2008 R2:
NPS Templates and Templates Management
RADIUS accounting improvements
Full support for international, non-English
character sets using UTF-8 encoding
Network Access Protection (NAP) new features in
Windows Server 2008 R2 and Windows 7
Multi-configuration SHV
NAP client user interface improvements.
Multi-Configuration SHV
SHVs define configuration requirements for
computers that attempt to connect to your
network, via wired, wireless, or VPN
With multi-configuration SHV, a single NAP
health policy server can be used to deploy
multiple configurations of the same SHV
NAP Walkthrough
Untrusted
Network
Boundary
Network
Secure
Network
DHCP
Here it is.
May I have a health certificate?
Here’s my SoH.
You
don’tyour
get ahealth
healthcertificate.
certificate.
Here’s
Go fix up.
Client
I need updates.
Issue
me
a health
Client
OK?
certificate.
HRA
Yes.Needs
Issue fix-up.
No.
health certificate.

X
Accessing the network
Here you go.
CA
Remediation
Server
NPS
Windows Clients and Windows Server 2008 R2
NAP: Why They Are Better Together
In the talk you seen why using the built
functionality of Windows in both the client and
server make a compelling argument for
introducing this technology into your company.
We have will explore the required services and
configurations that a administrator need to
understand in planning NAP.
We covered some of new features that are in
Windows 7 and Server 2008 r2
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
Windows Server Resources
Make sure you pick up your
copy of Windows Server 2008
R2 RC from the Materials
Distribution Counter
Learn More about Windows Server 2008 R2:
www.microsoft.com/WindowsServer2008R2
Technical Learning Center (Orange Section):
Highlighting Windows Server 2008 and R2 technologies
• Over 15 booths and experts from Microsoft and our partners
Complete an
evaluation on
CommNet and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.