Windows Clients and Windows Server 2008 NAP: Why They Are Better Together

Jayson FerronCIOInteractive Security TrainingWSV206

Windows Clients and Windows Server 2008 NAP: Why they are better together

In the talk you see why using the built functionality of Windows in both the client and server makes a compelling argument for introducing this technology into your companyWe will explore the required services and configurations that an administrator needs to understand in planning NAPWe will cover new features that are in Windows 7 and Server 2008 r2

What is Network Access Protection (NAP)

Protect from Malware threatsWe will talk about

using malware prevention technologies, how NAP provides centralized definition, integration, and enforcement of system health requirements to help prevent the exposure to malware on a private network

What is required to Setup NAPWhat’s new With Windows 7 and Server 2008With demos along the way

Network Access Protection Overview

The NAP platform requires servers running Windows Server 2008 or later and NAP-aware clients:

Windows XP SP3 and laterWindows Server 2008 and later

Additional Hardware Switched network that supports 802.1X Set of operating system components that provide a platform for system health-validated access to networksAn architecture through which policy validation, network access limitation, automatic remediation, and ongoing compliance can occurAdditional components supplied by third-party software vendors or Microsoft

Why NAP

We do not trust users to install all patches and updates as required and need to Verify that system are in compliance

Do the systems have:current anti-virus software?current anti-spyware?current corporate-approved patches?host-based statefull enabled?

What other configuration settings are required for adherence to the organization’s security policies?

NAP is an Additional Layer in Network Security

Network Access Protection is not a silver bullet for network securityNAP is about stopping the next big virus or vulnerability by ensuring clients are well maintained and isolated if deemed unhealthyNAP is not designed for:

blocking unauthorized usersrogue machine controlsoftware distribution control

NAP is a flexible health control solution that is reliant on other mechanisms to solve these issues

Accessing the network

Remediation Server

NPS

May I have a health certificate? Here’s my SoH. Client OK?

No. Needs fix-up.You don’t get a health certificate.Go fix up.

I need updates.

Here you go.

Yes. Issue health certificate.Here’s your health certificate.

Client

NAP WalkthroughUntrusted Network

BoundaryNetwork

Secure Network

CA

Issue me a health certificate.

Here it is.

DHCP

HRA

X

Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.

Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC.

NAP Components

NetworkPolicy Server

Network Policy Server

Client

NAPAgent

Health PolicyUpdates

HealthStatements

NetworkAccessRequests

Health RequirementServers

Remediation Servers

Health Components

System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.).

System Health Validators (SHV) = Certify declarations made by health agents.

Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state.

Enforcement Components

Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs.

Health Registration Authority = Issues certificates to clients that pass health checks.

Platform Components

Health Requirement Servers = Define health requirements for system components.

Health ResultHealth Certificate

Health Registration Authority

Network Access Devices = Provide network access to healthy endpoints.

SHA<n>

SHV<n>

QEC1

QEC2

System Health Agent OptionsAllows for multiple configurations of SHA deployments Windows SHA

Antivirus settingsAntispyware settingsFirewall settingsWindows Updates Settings

System Center Configuration Manager 2007 (SCCM) SHAPatch Management

Forefront Client Security (FCS) SHA3rd party SHAs

SoH Renewal Processing

Client SoH is revalidated when:Health certificate approaches 80% of validity timeNetwork state changes Changes in client configuration detected by an SHA Group policy is updated

How NAP Integrates with IPsec

NAP evaluates computer health and issues a “health certificate” through a Health Registration Authority (HRA)

Compliant hosts receive a health certificateNoncompliant hosts are denied

Non NAP-capable hosts receive “health exemption” certificates through AutoEnrollmentIPsec policy is configured to require health certificate for Tunnel and/or Transport Mode

Can be combined with optional user-level authentication

NAP Components

Network Policy Server (NPS)Certification Authority (CA)Health Registration Authority (HRA)NAP Agent with IPSec Relying Party

Health Registration Authority

The Health Registration Authority (HRA) is used to issue health certificates to clients that satisfy health checks

Web service receiving requests from the NAP clientsHRA is a new Windows Server 2008 or Windows Server 2008 R2 role

Health certificates are regular X.509 certificates with a very short lifetime (on the order of hours)

System Health Authentication OID in the certificate

Network Policy Server

Network Policy Server (NPS) is used by the HRA to validate the SoH

NPS receives computer credentials and SOH from HRA using RADIUS protocolSoH is evaluated by SHVs running on the NPS server, and results matched against the Health policiesNetwork policies are then used to authorize or deny network connection requests

Network Policy Options

Allow full network accessAllow full network access for limited time

Enforcement is deferred until a later dateLimited network access

Access is restricted to remediation servers

Network Policy Server (NPS)NameTitleCompany

myVPC

Certification Authority

Issues health certificates for NAP-compliant machinesCertificate Authority requirements:

Enterprise or standalone subordinate CA under a trusted Root CAWindows Server 2003 or later

Recommended that dedicated health certificate-issuing CAs are deployed

No revocation is typically required due to short certificate lifetimeHigh volume of certificates issued could impact other services also relying on the CA

Certification Authority (CAmyVPC

IPsec Relying Party

The IPsec Relying Party is a component of the NAP Agent that obtains a health certificate from the Health Registration Authority (HRA)Also interacts with the following:

Certificate store: Stores the health certificateIPSec components in Windows: Ensures that health certificates are used for IPSec-based communicationHost-based firewall (such as Windows Firewall): Ensures that IPSec-protected traffic is allowed by the firewall

Health Registration Authority (HRA) Configuration

Exposed to the Internet to receive health information and issue certificates to external clients

Forefront TMG/UAG can be used to securely publish HRA web services

Forwards requests to internal NPS and CA serversNPS proxy installed on the HRA servers

Multiple HRAs load balanced for high availabilityUse of HRA Discovery to publish HRA information using DNS

Network Policy Server (NPS) Configuration

NPS servers configured in the internal network, receiving the RADIUS requests from the HRAs

Multiple NPS servers configured in Server Group for high availability

Configuration stored locally, use scripts to replicateConfigure NPS logging

Allows logging to text files or database (ODBC)Best practice is to log to local database, replicate to central SQL repository

Certification Authority (CA) Configuration

Microsoft Certificate Services requiredCan be configured either as Stand-Alone or Enterprise CA

Requires security permissions to enable HRA to request and manage certificates

Also certificate template permissions for Enterprise CAsBest practice is to dedicate CA to Health CertificatesVolume of certificate requests would overwhelm existing CAs and make certificate database management hardWindows Server 2008 R2 CA allows non-persisted certificate requests

NAP Client Configuration

Enable NAP Agent service and IPsec Relying PartyConfigure HRA URLsInstall and enable SHAs

For Windows SHA, turn on Security CenterConfigure IPSec policy to use health certificates

NAP Health Exemptions

Use AutoEnrollment to enroll “Health Exemption” certificates to systems exempt from NAP compliance

Define group for DA clients exempt from NAPCreate certificate template with the following attribute:

Custom application policy – “Server Health”OID = “1.3.6.1.4.1.311.47.1.1”

Grant enroll and autoenroll permissions to group

Remediation Servers

Any service that needs to be available to clients for remediation to happen

Depend on what SHAs are being used by organizationRemediation Servers need to be reachable from unhealthy clients

Publish remediation servers externally to the InternetUse separate DA server and IPv6 subnet for remediation servers

Require additional (non-health) client certificate to secure access to remediation subnet

New for Windows 7 and Windows Server 2008 R2

announcing

Network Policy Server (NPS) new features in Windows Server 2008 R2:

NPS Templates and Templates ManagementRADIUS accounting improvementsFull support for international, non-English character sets using UTF-8 encoding

Network Access Protection (NAP) new features in Windows Server 2008 R2 and Windows 7

Multi-configuration SHV NAP client user interface improvements.

Multi-Configuration SHV

SHVs define configuration requirements for computers that attempt to connect to your network, via wired, wireless, or VPNWith multi-configuration SHV, a single NAP health policy server can be used to deploy multiple configurations of the same SHV

Accessing the network

Remediation Server

NPS

May I have a health certificate? Here’s my SoH. Client OK?

No. Needs fix-up.You don’t get a health certificate.Go fix up.

I need updates.

Here you go.

Yes. Issue health certificate.Here’s your health certificate.

Client

NAP WalkthroughUntrusted Network

BoundaryNetwork

Secure Network

CA

Issue me a health certificate.

Here it is.

DHCP

HRA

X

Putting it all togetherdemo

Windows Clients and Windows Server 2008 R2 NAP: Why They Are Better Together

In the talk you seen why using the built functionality of Windows in both the client and server make a compelling argument for introducing this technology into your company.We have will explore the required services and configurations that a administrator need to understand in planning NAP.We covered some of new features that are in Windows 7 and Server 2008 r2

question & answer

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Windows Server ResourcesMake sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter

Learn More about Windows Server 2008 R2: www.microsoft.com/WindowsServer2008R2

Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies•Over 15 booths and experts from Microsoft and our partners

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.