View
219
Download
1
Tags:
Embed Size (px)
Citation preview
Windows Clients and Windows Server 2008 NAP: Why They Are Better Together
Jayson FerronCIOInteractive Security TrainingWSV206
Windows Clients and Windows Server 2008 NAP: Why they are better together
In the talk you see why using the built functionality of Windows in both the client and server makes a compelling argument for introducing this technology into your companyWe will explore the required services and configurations that an administrator needs to understand in planning NAPWe will cover new features that are in Windows 7 and Server 2008 r2
What is Network Access Protection (NAP)
Protect from Malware threatsWe will talk about
using malware prevention technologies, how NAP provides centralized definition, integration, and enforcement of system health requirements to help prevent the exposure to malware on a private network
What is required to Setup NAPWhat’s new With Windows 7 and Server 2008With demos along the way
Network Access Protection Overview
The NAP platform requires servers running Windows Server 2008 or later and NAP-aware clients:
Windows XP SP3 and laterWindows Server 2008 and later
Additional Hardware Switched network that supports 802.1X Set of operating system components that provide a platform for system health-validated access to networksAn architecture through which policy validation, network access limitation, automatic remediation, and ongoing compliance can occurAdditional components supplied by third-party software vendors or Microsoft
Why NAP
We do not trust users to install all patches and updates as required and need to Verify that system are in compliance
Do the systems have:current anti-virus software?current anti-spyware?current corporate-approved patches?host-based statefull enabled?
What other configuration settings are required for adherence to the organization’s security policies?
NAP is an Additional Layer in Network Security
Network Access Protection is not a silver bullet for network securityNAP is about stopping the next big virus or vulnerability by ensuring clients are well maintained and isolated if deemed unhealthyNAP is not designed for:
blocking unauthorized usersrogue machine controlsoftware distribution control
NAP is a flexible health control solution that is reliant on other mechanisms to solve these issues
Accessing the network
Remediation Server
NPS
May I have a health certificate? Here’s my SoH. Client OK?
No. Needs fix-up.You don’t get a health certificate.Go fix up.
I need updates.
Here you go.
Yes. Issue health certificate.Here’s your health certificate.
Client
NAP WalkthroughUntrusted Network
BoundaryNetwork
Secure Network
CA
Issue me a health certificate.
Here it is.
DHCP
HRA
X
Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.
Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC.
NAP Components
NetworkPolicy Server
Network Policy Server
Client
NAPAgent
Health PolicyUpdates
HealthStatements
NetworkAccessRequests
Health RequirementServers
Remediation Servers
Health Components
System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.).
System Health Validators (SHV) = Certify declarations made by health agents.
Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state.
Enforcement Components
Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs.
Health Registration Authority = Issues certificates to clients that pass health checks.
Platform Components
Health Requirement Servers = Define health requirements for system components.
Health ResultHealth Certificate
Health Registration Authority
Network Access Devices = Provide network access to healthy endpoints.
SHA<n>
SHV<n>
QEC1
QEC2
System Health Agent OptionsAllows for multiple configurations of SHA deployments Windows SHA
Antivirus settingsAntispyware settingsFirewall settingsWindows Updates Settings
System Center Configuration Manager 2007 (SCCM) SHAPatch Management
Forefront Client Security (FCS) SHA3rd party SHAs
SoH Renewal Processing
Client SoH is revalidated when:Health certificate approaches 80% of validity timeNetwork state changes Changes in client configuration detected by an SHA Group policy is updated
How NAP Integrates with IPsec
NAP evaluates computer health and issues a “health certificate” through a Health Registration Authority (HRA)
Compliant hosts receive a health certificateNoncompliant hosts are denied
Non NAP-capable hosts receive “health exemption” certificates through AutoEnrollmentIPsec policy is configured to require health certificate for Tunnel and/or Transport Mode
Can be combined with optional user-level authentication
NAP Components
Network Policy Server (NPS)Certification Authority (CA)Health Registration Authority (HRA)NAP Agent with IPSec Relying Party
Health Registration Authority
The Health Registration Authority (HRA) is used to issue health certificates to clients that satisfy health checks
Web service receiving requests from the NAP clientsHRA is a new Windows Server 2008 or Windows Server 2008 R2 role
Health certificates are regular X.509 certificates with a very short lifetime (on the order of hours)
System Health Authentication OID in the certificate
Network Policy Server
Network Policy Server (NPS) is used by the HRA to validate the SoH
NPS receives computer credentials and SOH from HRA using RADIUS protocolSoH is evaluated by SHVs running on the NPS server, and results matched against the Health policiesNetwork policies are then used to authorize or deny network connection requests
Network Policy Options
Allow full network accessAllow full network access for limited time
Enforcement is deferred until a later dateLimited network access
Access is restricted to remediation servers
Certification Authority
Issues health certificates for NAP-compliant machinesCertificate Authority requirements:
Enterprise or standalone subordinate CA under a trusted Root CAWindows Server 2003 or later
Recommended that dedicated health certificate-issuing CAs are deployed
No revocation is typically required due to short certificate lifetimeHigh volume of certificates issued could impact other services also relying on the CA
IPsec Relying Party
The IPsec Relying Party is a component of the NAP Agent that obtains a health certificate from the Health Registration Authority (HRA)Also interacts with the following:
Certificate store: Stores the health certificateIPSec components in Windows: Ensures that health certificates are used for IPSec-based communicationHost-based firewall (such as Windows Firewall): Ensures that IPSec-protected traffic is allowed by the firewall
Health Registration Authority (HRA) Configuration
Exposed to the Internet to receive health information and issue certificates to external clients
Forefront TMG/UAG can be used to securely publish HRA web services
Forwards requests to internal NPS and CA serversNPS proxy installed on the HRA servers
Multiple HRAs load balanced for high availabilityUse of HRA Discovery to publish HRA information using DNS
Network Policy Server (NPS) Configuration
NPS servers configured in the internal network, receiving the RADIUS requests from the HRAs
Multiple NPS servers configured in Server Group for high availability
Configuration stored locally, use scripts to replicateConfigure NPS logging
Allows logging to text files or database (ODBC)Best practice is to log to local database, replicate to central SQL repository
Certification Authority (CA) Configuration
Microsoft Certificate Services requiredCan be configured either as Stand-Alone or Enterprise CA
Requires security permissions to enable HRA to request and manage certificates
Also certificate template permissions for Enterprise CAsBest practice is to dedicate CA to Health CertificatesVolume of certificate requests would overwhelm existing CAs and make certificate database management hardWindows Server 2008 R2 CA allows non-persisted certificate requests
NAP Client Configuration
Enable NAP Agent service and IPsec Relying PartyConfigure HRA URLsInstall and enable SHAs
For Windows SHA, turn on Security CenterConfigure IPSec policy to use health certificates
NAP Health Exemptions
Use AutoEnrollment to enroll “Health Exemption” certificates to systems exempt from NAP compliance
Define group for DA clients exempt from NAPCreate certificate template with the following attribute:
Custom application policy – “Server Health”OID = “1.3.6.1.4.1.311.47.1.1”
Grant enroll and autoenroll permissions to group
Remediation Servers
Any service that needs to be available to clients for remediation to happen
Depend on what SHAs are being used by organizationRemediation Servers need to be reachable from unhealthy clients
Publish remediation servers externally to the InternetUse separate DA server and IPv6 subnet for remediation servers
Require additional (non-health) client certificate to secure access to remediation subnet
Network Policy Server (NPS) new features in Windows Server 2008 R2:
NPS Templates and Templates ManagementRADIUS accounting improvementsFull support for international, non-English character sets using UTF-8 encoding
Network Access Protection (NAP) new features in Windows Server 2008 R2 and Windows 7
Multi-configuration SHV NAP client user interface improvements.
Multi-Configuration SHV
SHVs define configuration requirements for computers that attempt to connect to your network, via wired, wireless, or VPNWith multi-configuration SHV, a single NAP health policy server can be used to deploy multiple configurations of the same SHV
Accessing the network
Remediation Server
NPS
May I have a health certificate? Here’s my SoH. Client OK?
No. Needs fix-up.You don’t get a health certificate.Go fix up.
I need updates.
Here you go.
Yes. Issue health certificate.Here’s your health certificate.
Client
NAP WalkthroughUntrusted Network
BoundaryNetwork
Secure Network
CA
Issue me a health certificate.
Here it is.
DHCP
HRA
X
Windows Clients and Windows Server 2008 R2 NAP: Why They Are Better Together
In the talk you seen why using the built functionality of Windows in both the client and server make a compelling argument for introducing this technology into your company.We have will explore the required services and configurations that a administrator need to understand in planning NAP.We covered some of new features that are in Windows 7 and Server 2008 r2
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Windows Server ResourcesMake sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter
Learn More about Windows Server 2008 R2: www.microsoft.com/WindowsServer2008R2
Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies•Over 15 booths and experts from Microsoft and our partners
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.