Windows Clients and Windows Server 2008 NAP: Why They Are ...

Windows Clients and Windows Server 2008 NAP: Why They Are ...

Windows Clients and Windows Server 2008 NAP: Why They Are Better Together Jayson Ferron CIO Interactive Security Training WSV206 Windows Clients and Windows Server 2008 NAP: Why they are better together In the talk you see why using the built functionality of Windows in both the client and server makes a compelling argument for introducing this technology into your company We will explore the required services and configurations that an administrator needs to understand in planning NAP

We will cover new features that are in Windows 7 and Server 2008 r2 What is Network Access Protection (NAP) Protect from Malware threats We will talk about using malware prevention technologies, how NAP provides centralized definition, integration, and enforcement of system health requirements to help prevent the exposure to malware on a private network What is required to Setup NAP Whats new With Windows 7 and Server 2008 With demos along the way Network Access Protection Overview

The NAP platform requires servers running Windows Server 2008 or later and NAP-aware clients: Windows XP SP3 and later Windows Server 2008 and later Additional Hardware Switched network that supports 802.1X Set of operating system components that provide a platform for system health-validated access to networks An architecture through which policy validation, network access limitation, automatic remediation, and ongoing compliance can occur Additional components supplied by third-party software vendors or Microsoft Why NAP We do not trust users to install all patches and

updates as required and need to Verify that system are in compliance Do the systems have: current anti-virus software? current anti-spyware? current corporate-approved patches? host-based statefull enabled? What other configuration settings are required for adherence to the organizations security policies? NAP is an Additional Layer in Network Security Network Access Protection is not a silver bullet for network security

NAP is about stopping the next big virus or vulnerability by ensuring clients are well maintained and isolated if deemed unhealthy NAP is not designed for: blocking unauthorized users rogue machine control software distribution control NAP is a flexible health control solution that is reliant on other mechanisms to solve these issues NAP Walkthrough Untrusted Network Boundary Network Secure

Network DHCP Here it is. May I have a health certificate? Heres my SoH. Client You dont gethealth a health certificate. Heres your certificate.

Go fix up. I need updates. CA Issue me a health Client OK? certificate. HRA Accessing the network

Yes.Needs Issue fix-up. No. health certificate. X NPS Here you go. Remediation Server NAP Components Enforcement Platform

Components Components Health Components System Quarantine Health Agents Agent(SHA) (QA) == Declare Reports health (patchaccess status,

state, with virus coordinates signature, between system SHA configuration, and DHCP, QEC. VPN, etc.). Quarantine Enforcement Clients (QEC) health =client

Negotiate network access device(s); 1X, IPSec QECs. Quarantine Server (QS) Restricts clients network based on what SHV certifies. System Health Validators

(SHV) = Certify declarations made by health agents. Network Access Devices ==Provide network access to access healthy endpoints. Health

Servers = =Define requirements system HealthRequirement Registration Authority Issueshealth certificates to clientsfor that pass components. health checks. Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state. Health Requirement Servers

Remediation Servers Health Policy Updates Client Health Statements SHA Health Result Health Certificate

NAP Agent QEC 1 Network Access Requests QEC 2 Health Registration Authority Network

Policy Server SHV Network Policy Server System Health Agent Options Allows for multiple configurations of SHA deployments Windows SHA Antivirus settings Antispyware settings Firewall settings Windows Updates Settings System Center Configuration Manager 2007 (SCCM) SHA Patch Management

Forefront Client Security (FCS) SHA 3rd party SHAs SoH Renewal Processing Client SoH is revalidated when: Health certificate approaches 80% of validity time Network state changes Changes in client configuration detected by an SHA Group policy is updated How NAP Integrates with IPsec NAP evaluates computer health and issues a health certificate through a Health Registration Authority (HRA) Compliant hosts receive a health certificate Noncompliant hosts are denied

Non NAP-capable hosts receive health exemption certificates through AutoEnrollment IPsec policy is configured to require health certificate for Tunnel and/or Transport Mode Can be combined with optional user-level authentication NAP Components Network Policy Server (NPS) Certification Authority (CA) Health Registration Authority (HRA) NAP Agent with IPSec Relying Party Health Registration Authority The Health Registration Authority (HRA) is used to

issue health certificates to clients that satisfy health checks Web service receiving requests from the NAP clients HRA is a new Windows Server 2008 or Windows Server 2008 R2 role Health certificates are regular X.509 certificates with a very short lifetime (on the order of hours) System Health Authentication OID in the certificate Network Policy Server Network Policy Server (NPS) is used by the HRA to validate the SoH NPS receives computer credentials and SOH from HRA using RADIUS protocol SoH is evaluated by SHVs running on the NPS

server, and results matched against the Health policies Network policies are then used to authorize or deny network connection requests Network Policy Options Allow full network access Allow full network access for limited time Enforcement is deferred until a later date Limited network access Access is restricted to remediation servers myVPC Network Policy Server (NPS) Name

Title Company Certification Authority Issues health certificates for NAP-compliant machines Certificate Authority requirements: Enterprise or standalone subordinate CA under a trusted Root CA Windows Server 2003 or later Recommended that dedicated health certificate-issuing CAs are deployed No revocation is typically required due to short certificate lifetime High volume of certificates issued could impact other services also relying on the CA

IPsec Relying Party The IPsec Relying Party is a component of the NAP Agent that obtains a health certificate from the Health Registration Authority (HRA) Also interacts with the following: Certificate store: Stores the health certificate IPSec components in Windows: Ensures that health certificates are used for IPSec-based communication Host-based firewall (such as Windows Firewall): Ensures that IPSec-protected traffic is allowed by the firewall Health Registration Authority (HRA) Configuration

Exposed to the Internet to receive health information and issue certificates to external clients Forefront TMG/UAG can be used to securely publish HRA web services Forwards requests to internal NPS and CA servers NPS proxy installed on the HRA servers Multiple HRAs load balanced for high availability Use of HRA Discovery to publish HRA information using DNS Network Policy Server (NPS) Configuration NPS servers configured in the internal network,

receiving the RADIUS requests from the HRAs Multiple NPS servers configured in Server Group for high availability Configuration stored locally, use scripts to replicate Configure NPS logging Allows logging to text files or database (ODBC) Best practice is to log to local database, replicate to central SQL repository Certification Authority (CA) Configuration Microsoft Certificate Services required Can be configured either as Stand-Alone or Enterprise CA

Requires security permissions to enable HRA to request and manage certificates Also certificate template permissions for Enterprise CAs Best practice is to dedicate CA to Health Certificates Volume of certificate requests would overwhelm existing CAs and make certificate database management hard Windows Server 2008 R2 CA allows non-persisted certificate requests NAP Client Configuration Enable NAP Agent service and IPsec Relying Party Configure HRA URLs Install and enable SHAs For Windows SHA, turn on Security Center

Configure IPSec policy to use health certificates NAP Health Exemptions Use AutoEnrollment to enroll Health Exemption certificates to systems exempt from NAP compliance Define group for DA clients exempt from NAP Create certificate template with the following attribute: Custom application policy Server Health OID = 1.3.6.1.4.1.311.47.1.1 Grant enroll and autoenroll permissions to group Remediation Servers Any service that needs to be available to clients for remediation to happen

Depend on what SHAs are being used by organization Remediation Servers need to be reachable from unhealthy clients Publish remediation servers externally to the Internet Use separate DA server and IPv6 subnet for remediation servers Require additional (non-health) client certificate to secure access to remediation subnet announcing New for Windows 7 and Windows Server 2008 R2 Network Policy Server (NPS) new features in Windows Server 2008 R2:

NPS Templates and Templates Management RADIUS accounting improvements Full support for international, non-English character sets using UTF-8 encoding Network Access Protection (NAP) new features in Windows Server 2008 R2 and Windows 7 Multi-configuration SHV NAP client user interface improvements. Multi-Configuration SHV SHVs define configuration requirements for computers that attempt to connect to your network, via wired, wireless, or VPN With multi-configuration SHV, a single NAP health policy server can be used to deploy

multiple configurations of the same SHV NAP Walkthrough Untrusted Network Boundary Network Secure Network DHCP Here it is. May I have a health certificate? Heres my SoH. You dontyour

get ahealth healthcertificate. certificate. Heres Go fix up. Client I need updates. Issue me a health Client OK? certificate.

HRA Yes.Needs Issue fix-up. No. health certificate. X Accessing the network Here you go. CA

Remediation Server NPS Windows Clients and Windows Server 2008 R2 NAP: Why They Are Better Together In the talk you seen why using the built functionality of Windows in both the client and server make a compelling argument for introducing this technology into your company. We have will explore the required services and configurations that a administrator need to understand in planning NAP. We covered some of new features that are in Windows 7 and Server 2008 r2

question & answer Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn

Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Windows Server Resources Make sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter Learn More about Windows Server 2008 R2: www.microsoft.com/WindowsServer2008R2

Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies Over 15 booths and experts from Microsoft and our partners Complete an evaluation on CommNet and enter to win! 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Recently Viewed Presentations

  • 2009 Legislative Session - Texas A&M University System

    2009 Legislative Session - Texas A&M University System

    Justin Greiner Texas Higher Education Coordinating Board Changes from SB639 Eligibility Requirements Default Loan Verification Procedure New Applications Supporting Documentation How to View Database Information Where to Obtain Program Information * Veterans are required to "reside" in Texas during the...
  • GPO Pharmacist team . .   .   Cough Cold

    GPO Pharmacist team . . . Cough Cold

    การใช้ยาในเด็กและเยาวชน GPO Pharmacist team ภก. ชีวิต คงสุข ภญ. ศิรินทร์ทิพย์ ขวัญเมือง
  • Structures of the Wampanoag Indians - Willowcreek U.S ...

    Structures of the Wampanoag Indians - Willowcreek U.S ...

    Structures of the Wampanoag Indians The Wampanoag Indian government was based off of a confederate system. Which means they were a group of peoples parties ect. United together to make decisions within the tribe. The Wampanoag government structure To make...
  • Climate Zone Map - wikifoundryattachments.com

    Climate Zone Map - wikifoundryattachments.com

    Warm Climate Zones. Warm Regions: Results in white wines that have tropical fruit flavors such as mangos, pineapple, papayas, guavas or bananas. Produce red wines that can take on flavors of dried and heavier fruits like raisins, figs or prunes.
  • An Unforgettable Journey By Maijue Xiong Before, During,

    An Unforgettable Journey By Maijue Xiong Before, During,

    Maijue. Xiong. Before, During, and After Reading Skills. An Unforgettable Journey. Preparing to Read. 1. Identify and define the two . Literary Focus . elements of this text. 2. Identify and define the . Reading Focus . skill used in...
  • British Psychological Society Research Seminar on Stranger Child

    British Psychological Society Research Seminar on Stranger Child

    There is a need to balance how much you say and what you don't reveal (so you don't educate offenders) There needs to be more collaboration between researchers/academics and practitioners. Good practice - contracting/tendering for researchers to explore practitioner-identified research...
  • 5th Grade Number Sense Review created by The

    5th Grade Number Sense Review created by The

    a. eight hundred twenty-three and nine tenths. b. eight hundred two three and nine tenths. c. eight hundred twenty-three and nine. Try again! Click here to go back to the problem. Marvelous! Click here to go to the next problem....
  • PAGE WELCOME & INTRODUCTIONS Advances in Chronic Myeloid

    PAGE WELCOME & INTRODUCTIONS Advances in Chronic Myeloid

    Bower H et al. J ClinOncol 34:2851-57, 2016. Treatment Advances for CML: TKIs. Bosutinib. Overcomes most imatinib-resistant mutations. Approved for 1st line therapy in late 2017. BELA trial (2012), 502 patients: bosutinib 500 mg vs imatinib 400 mg, evaluated at...