Network Access Protection

If you’ve seen the speed at which a rogue machine or dial-up client infected with a virus can wreak havoc on a network, you’ll appreciate new access-control features in Windows Server 2008.

Network Access Protection (NAP) replaces Network Access Quarantine Control (NAQC) in Windows Server 2003, which provided the ability to restrict access to a network for dial-up and virtual private network (VPN) clients. The solution was limited and complicated. Scripts were run on clients to check compliance; Connection Manager Profiles had to be used and restricted to dial-up/VPN clients only.

NAP improves on this functionality by additionally restricting clients that connect to a network directly, either wirelessly or physically. Compliance is checked via the Security Center, alleviating the need to write scripts. NAP restricts clients using the following enforcement methods: IP security (IPsec), 802.1x, Dynamic Host Configuration Protocol (DHCP) and VPN.

Enforcement Methods

IPsec is the strongest and most configurable NAP enforcement method, providing end-to-end protection, with enforcement performed on each individual client rather than at the point of access. One of the main advantages of IPsec over 802.1x is that it doesn’t require any supporting network hardware. It does require additional components, such as a Health Registration Authority (HRA), which grants health certificates to clients from a Certificate Server. IPsec enforcement is the most flexible, allowing restrictions based on the computer and/or application.

Often used to secure wireless networks, the main disadvantage of 802.1x is that clients must access the physical network through 802.1x-enabled hardware, such as a wireless access point or 802.1x-enabled switch. 802.1x restricts access by shutting off a switch port or by granting a limited-access profile to the client, which uses either IP packet filters or a VLAN (virtual LAN) Identifier. You should note that 802.1x enforcement is more secure than DHCP, but it can be circumvented — for instance, by connecting a hub to the network backbone. Unlike IPsec, 802.1x prevents noncompliant computers from sending packets on a protected network.

DHCP is the weakest enforcement method. An IP address is dynamically assigned to a client if it meets prerequisites defined by NAP. If those prerequisites are not met, an IP address is still assigned but with routing restrictions. Although DHCP is the easiest way to deploy NAP, any user who has administrative access to a client can statically assign an IP address, thereby gaining access to the network.

The VPN enforcement method uses IP packet filtering for restricting noncompliant computers. NAP can be configured to work with more than one enforcement method, so VPN enforcement can be used for remote clients and any of the other methods for directly connected clients.

Remediation

Remediation is the ability to transform a noncompliant computer into a compliant one. Usually this is achieved by providing a limited-access profile to a noncompliant system so that it can access remediation servers. Windows Update Services is an example of a remediation server that is NAP-aware. Check this link for software vendors that support NAP: http://www.microsoft.com/windowsserver2008/nap-partners.mspx

NAP and 802.1x

Out of the four enforcement methods outlined in this article, 802.1x provides a good balance between ease of deployment and security, assuming your network infrastructure has the hardware to support 802.1x. Most wireless access points (APs) support 802.1x, and many modern Ethernet switches are also 802.1x-enabled. On a small network, you may be prevented from deploying NAP with 802.1x if unmanaged Ethernet hubs make up the backbone.

Install the Network Policy Server (NPS) Role

Open Server Manager from the Start menu on Windows Server 2008. In Server Manager, select Add Roles under Roles Summary. Click Next, select Network Policy and Access Services and click Next again. Click past the introduction screen, check Network Policy Server at the top of the list on the Select Role Services screen and click Next. Click Install on the confirmation screen. Check the installation results and click Close. 

Figure 1

Configure the Network Switch as a RADIUS Client

Open the Network Policy Server MMC from Start > Administrative Tools. Right-click RADIUS Clients under RADIUS Clients and Servers and select New RADIUS Client from the menu. Enter a Friendly Name and Address (IP or DNS) details for the switch. Type and confirm a shared secret, which should match the configured secret on the switch. Under Additional Options, check the Access-Request messages must contain the Message-Authenticator attribute box (Figure 1) and click OK. This option protects NPS from spoofed IP addresses and RADIUS message tampering. The new RADIUS client will appear in the right-hand pane of the Network Policy Server MMC under RADIUS Clients.

Connection Request Policy (CRP)

Start by disabling the default CRP. Expand Policies and then click Connection Request Policies. In the right-hand pane of the MMC, click Use Windows authentication for all users and select Disable from the menu. Right-click Connection Request Policies in the left-hand pane and select New from the menu. A new window will open to configure the policy. Type PEAP under Policy Name and leave the Type of network access server as Unspecified. Click Next. On the Specify Conditions screen, click Add. Under Select condition, scroll down to RADIUS Client and select Client IPv4 Address and click Add. In the Client IPv4 Address dialog box, enter the IP address of the 802.1x-enabled switch and click OK. The new condition and IP address will appear under Conditions in the New Connection Request Policy window. Click Next.

While authenticating requests from the switch using NPS on this server, leave Authenticate requests on this server selected and click Next. Under Specify Authentication Methods, select Override network policy authentication settings and click Add under EAP Types. In the Add EAP dialog, click Microsoft: Protected EAP (PEAP) and OK. Click Next (Figure 2) and Next again past the Configure Settings window. Click Finish on the completion screen. The new CRP will appear enabled in the right-hand pane of the NPS MMC under Connection Request Policies.

Figure 2

System Health Validator (SHV)

Use the default SHV. No extra configuration is required.

Figure 3

Health Policy

Health Policies define which SHVs are evaluated and how. You need to configure two policies: one for compliance and one for noncompliance. Under Policies, right-click Health Policies and select New. Name the policy Compliant, check Windows Security Health Validator under SHVs used in this health policy and press OK. Repeat this procedure, but name the policy “Non-compliant,” and select Client fails one or more SHV checks under Client SHV checks and press OK (Figure 3).

Network Policy

While creating two network policies (previously, remote access policy), determine the appropriate VLAN for clients based on health policy results: compliant or noncompliant. Right-click Network Policies under the Policies node and select New. Name the policy “Non-compliant” and click Next. On the Specify Conditions screen, click Add. Select Health Policies under Network Access and click Add again. In the Health Policies dialog, select Non-compliant and press OK. The new condition will appear under “Conditions” in the New Network Policy window. Click Next. On the Specify Access Permission screen, leave Access granted selected and click Next. Click Next past the Configure Authentication Methods and Configure Constraints windows.

On the Configure Settings screen, select Standard under RADIUS Attributes and click Add. Select Tunnel-Medium-Type under Attributes and press Add. Leave Commonly used for 802.1x selected and click OK twice. Add another attribute; select Tunnel-Pvt-Group-ID from the list and click Add. In the Attribute Information dialog box, click Add, enter the ID of the VLAN for non-compliant computers as a string value, and press OK twice.  Finally, add the Tunnel-Type attribute and click Add. In the Attribute Information dialog box, click Add, select Commonly used for 802.1x and click OK twice. Close the Add Standard RADIUS Attribute dialog box and review the attributes as shown in Figure 4.

Figure 4

Select Vendor Specific under RADIUS Attributes and Add on the right-hand side of the dialog. Select Tunnel-Tag from the list of attributes and click Add. For the correct Tunnel-Tag attribute, you will need to consult the documentation for your 802.1x-enabled access point. If this information is not available, use a value of 1. Enter the attribute value and click OK. Close the Add Vendor Specific Attribute dialog.

On the Configure Settings screen, select NAP Enforcement under Settings, and select Allow Limited Access on the right-hand side of the screen (Figure 5). Click Next and then Finish on the completion screen.

Figure 5

To create a policy for compliant computers, repeat the steps for the noncompliant policy, but instead:

• Name the policy “Compliant.”
• Add the Compliant Health Policy.
• Specify the appropriate VLAN ID and Tunnel-Tag for compliant computers.
• Select Allow full network access under NAP Enforcement.

Configure a Vista Client

You’ll be relieved that this is much simpler than configuring the server. Open the Group Policy Management Console (GPMC) on Windows Server 2008 and create a new Group Policy Object (GPO) for the domain by right-clicking Group Policy Objects and selecting New. Name the policy “NAP” and click OK. Expand the Group Policy Objects node, right-click the NAP policy and select Edit from the menu. The Group Policy Management Editor window will open. Expand Computer Configuration > Policies > Windows Settings > Security Settings and click Services. Find the two services listed below in the right-hand pane, and for each select Define this policy setting and set the Startup type to Automatic:

• Network Access Protection Agent
• Wired AutoConfig

Under Security Settings, expand Network Access Protection > NAP Client Configuration and select Enforcement Clients. In the right-hand pane, double-click EAP Quarantine Enforcement Client, check Enable this enforcement client and click OK.

Figure 6

Go back to Security Settings and find Wired Network (IEEE 802.3 Policies) in the list. Right-click and select Create a New Windows Vista Policy. On the General tab, give the new policy a name and ensure that Use Windows Wired Auto Config service for clients is selected. On the Security tab, select Microsoft: Protected EAP (PEAP) as the authentication method and click Properties. In the Protected EAP Properties dialog box, check Enable Quarantine Checks and click OK (Figure 6). Click OK again to complete the configuration.

Under Computer Configuration, expand Administrative Templates > Windows Components and select Security Center. In the right-hand pane, double-click Turn on SecurityCenter (Domain PCs only), set the policy to “Enabled” and press OK.

Close the Group Policy Management Editor window and link the new GPO to an appropriate container in your Active Directory hierarchy so that it will apply to the required Vista client(s). Refresh policy and network connection by restarting a Vista client to which the GPO applies.

Testing NAP

The Vista client to be tested should be connected to a switch port where 802.1x authentication is enabled. If Vista meets the requirements of NAP Health Policy, it should successfully authenticate and connect to the compliant VLAN. If not, authentication should still occur, but the client will be connected to the noncompliant VLAN. You can confirm this by logging on to the switch. If a client doesn’t meet Health Policy requirements, a notification balloon should appear in the task bar.

Additionally, you can test auto-remediation functionality by turning off Windows Firewall on Vista, rendering it noncompliant. Auto-remediation should rectify this problem automatically and issue a new Statement of Health (SoH) to the client, enabling full network access on the compliant VLAN. More advanced testing of this functionality, for Windows Updates or antivirus signatures, would require appropriate remediation servers accessible on the noncompliant VLAN.

Microsoft’s Network Access Control solution is thorough, but without a deep knowledge of networking technologies, it can be complicated to configure. DHCP enforcement is simple to deploy but easily circumvented, and 802.1x requires supporting hardware. For smaller networks, it may be worth considering DHCP enforcement because it can help to enforce IT policy to a limited extent. IPsec is more suitable where encryption may also be of benefit in security sensitive environments.

Making a decision about NAP and the various enforcement methods will largely depend on what you’re trying to achieve and your existing network infrastructure. If you don’t have an infrastructure that supports 802.1x, following through these configuration steps will still help you to understand the components of NAP and how they work together.