Step By Step Guide: Demonstrate IPsec NAP Enforcement in a Test Lab Microsoft Corporation Published: July 2008 Abstract Network Access Protection (NAP) is a new policy enforcement technology in the Windows Vista® and Windows Server® 2008 and Windows XP with Service Pack 3 operating systems. (NAP can also be deployed on computers running Windows Server 2008 R2 and Windows 7). NAP provides components and an application programming interface (API) set that help administrators enforce compliance with health requirements for network access and communication. This paper contains an introduction to NAP and instructions for setting up a test lab to deploy NAP with the Internet Protocol security (IPsec) enforcement method. Copyright Information This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2008 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Contents Step By Step Guide: Demonstrate IPsec NAP Enforcement in a Test Lab 1 Abstract 1 Copyright Information 2 Contents 3 Step-by-Step Guide: Demonstrate IPsec NAP Enforcement in a Test Lab 7 In this guide 7 Scenario overview 8 IPsec enforcement and logical networks 8 Secure network 9 Boundary network 9 Restricted network 9 NAP overview 10 Policy validation 10 NAP enforcement and network restriction 11 Remediation 11 Ongoing monitoring to ensure compliance 12 Hardware and software requirements 12 Steps for configuring the test lab 12 Configure DC1 13 Install the operating system on DC1 13 Configure TCP/IP on DC1 14 Configure DC1 as a domain controller and DNS server 14 Install an enterprise root CA on DC1 15 Verify root CA properties 16 Create a user account in Active Directory 16 Add user1 to the Domain Admins group 17 Create a security group for NAP client computers 17 Create an IPsec exemption group 17 Configure certificate templates 18 Publish certificate templates 19 Enable certificate auto-enrollment in Active Directory 19 Configure NPS1 21 Install Windows Server 2008 or Windows Server 2008 R2 21 Configure TCP/IP properties on NPS1 22 Join NPS1 to the contoso.com domain 22 Add NPS1 to the IPsec NAP exemption group 23 Restart NPS1 23 User Account Control 23 Obtain a computer certificate on NPS1 24 Verify computer certificates on NPS1 24 Install the NPS, HRA, and CA server roles 24 Install the Group Policy Management feature 26 Configure the subordinate CA on NPS1 26 Configure HRA with permissions 27 Configure CA properties on HRA 27 Configure NPS as a NAP health policy server 29 Configure NAP with a wizard 30 Configure SHVs 32 Configure NAP client settings in Group Policy 33 Configure security filters for the NAP client settings GPO 34 Configure CLIENT1/CLIENT2 35 Install Windows Vista on CLIENT1 and CLIENT2 35 Configure TCP/IP on CLIENT1 and CLIENT2 35 Join CLIENT1 to the Contoso.com domain 36 Add CLIENT1 to the NAP client computers security group 37 Enable Run on the Start menu on CLIENT1 and CLIENT2 37 Verify Group Policy settings on CLIENT1 37 Export the root CA certificate on CLIENT1 38 Import the root CA certificate on CLIENT2 39 Configure NAP client settings on CLIENT2 39 Start the NAP Agent service on CLIENT2 40 Verify local policy settings on CLIENT2 40 Allow ICMP through Windows Firewall on CLIENT1 and CLIENT2 41 Verify network connectivity 41 Verifying NAP functionality 41 Verify health certificate enrollment on CLIENT1 and CLIENT2 42 Join CLIENT2 to the Contoso.com domain 43 Verification of NAP auto-remediation on CLIENT1 44 Verification of NAP policy enforcement on CLIENT1 46 Configure WSHV to require an antivirus application 47 Refresh the SoH on CLIENT1 47 Confirm health certificate removal 48 Remove the antivirus health requirement so that CLIENT1 can become compliant 48 Refresh the SoH on CLIENT1 49 Confirm that the client health certificate is restored 49 Configuring IPsec policies 49 Create two OUs 49 Create IPsec policies for health enforcement 50 Create policies for the IPsec secure OU 50 Create policies for the IPsec boundary OU 51 Place computers into secure and boundary OUs 52 Apply Group Policy settings 53 Demonstrate NAP IPsec enforcement 53 Verify that compliant NAP clients can communicate 53 Revise NAP policy to be more restrictive 54 Demonstrate network restriction 55 Optional procedures to configure HRA auto-discovery 55 Requirements for HRA auto-discovery 56 Configure the EnableDiscovery registry key 56 Configure DNS SRV records 56 Clear the trusted server group configuration 57 Verify HRA auto-discovery 58 See Also 58 Appendix 58 Set UAC behavior of the elevation prompt for administrators 58 Review NAP client events 59 Review NAP server events 59 Step-by-Step Guide: Demonstrate IPsec NAP Enforcement in a Test Lab Network Access Protection (NAP) is a new technology that was introduced in the Windows Vista® and Windows Server® 2008 operating systems. (NAP can also be deployed on computers running Windows Server 2008 R2 and Windows 7). NAP includes client and server components that you can use to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are deemed noncompliant, and remediating noncompliant client computers for unlimited network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP can also provide ongoing health compliance enforcement while a compliant client computer is connected to a network. In addition, NAP provides an application programming interface (API) set that allows non- Microsoft software vendors to integrate their solutions into the NAP framework. NAP enforcement occurs at the moment client computers attempt to access the network through network access servers, such as a VPN server running Routing and Remote Access, or when clients attempt to communicate with other network resources. The way in which NAP is enforced depends on the enforcement method you choose. NAP enforces health requirements for the following: • Internet Protocol security (IPsec)-protected communications • Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated connections • Virtual private network (VPN) connections • Dynamic Host Configuration Protocol (DHCP) configuration • Terminal Services Gateway (TS Gateway) The step-by-step instructions in this paper will show you how to deploy a NAP IPsec enforcement test lab so that you can better understand how IPsec enforcement works. In this guide This paper contains an introduction to NAP and instructions for setting up a test lab and deploying NAP with the IPsec enforcement method using two server computers and two client computers. The test lab lets you create and enforce client health requirements using NAP and IPsec. The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended Important configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network. Scenario overview In this test lab, NAP enforcement for IPsec network access control is deployed with: • One computer running Windows Server 2003 that is configured as a domain controller, DNS server, and root certification authority (CA). This lab demonstrates NAP support for the Active Directory® directory service in Windows Server 2003. You can also make the domain controller in this lab run Windows Server 2008 or Windows Server 2008 R2. • One member server running Windows Server 2008 or Windows Server 2008 R2 that is running Network Policy Server (NPS) and is configured as a Health Registration Authority (HRA) and a subordinate CA. • Two NAP-capable client computers running Windows Vista or Windows 7. The test lab consists of an intranet network assigned a private IP address range of 192.168.0.0/24 that is connected by a hub or switch. See the following figure. In the test lab, CLIENT1 will initiate IPsec-protected communications with CLIENT2. If valid network health credentials are provided to NPS1 by both computers, the communication is allowed. If either computer fails to meet network health requirements, then IPsec policies will restrict communications by placing the noncompliant client computer on a different IPsec logical network. IPsec enforcement and logical networks IPsec enforcement divides a physical network into three logical networks. A computer is a member of only one logical network at any time. The logical networks are defined in terms of whether computers require IPsec authentication with health certificates for incoming Note 8 communication attempts. The purpose of logical networks is to limit the access of noncompliant computers, and provide compliant computers with an environment that is protected from threats introduced by noncompliant computers. The access of noncompliant computers is limited to resources required to remediate their health state and gain full network access. IPsec logical networks consist of a secure network, a boundary network, and a restricted network. Secure network Computers that have health certificates and require these certificates for authentication of incoming communication attempts are on a secure network. These computers have a common set of IPsec policy settings that provide IPsec protection. For example, most server and client computers that are members of an Active Directory infrastructure would be in a secure network. Health requirement servers, servers running Active Directory Certificate Services (AD CS), and e- mail servers are examples of network components that normally reside in a secure network. Boundary network Computers that have health certificates but do not require that incoming communication attempts authenticate with these certificates are on the boundary network. Computers in the boundary network must be accessible to computers on the entire network. These types of computers are the servers required to assess and remediate NAP client health or otherwise provide network services for computers in the restricted network, such as HRA and remediation servers. Because computers in the boundary network do not require authentication and protected communication, they must be closely managed to prevent them from being used to attack computers in the secure network. Restricted network Computers that do not have health certificates are placed in the restricted network. These are computers that have not completed health checks, or have been determined to be noncompliant with network health policy. They might be guest computers, or non-NAP-capable computers, such as computers running versions of Windows that do not support NAP, Apple Macintosh computers, or UNIX-based computers. The following figure shows an example of IPsec logical networks. 9 In the test lab, NPS1 is on the boundary network, CLIENT1 is on the secure network, and CLIENT2 moves between the secure and restricted network, depending on its health status. NAP overview Several processes are required for NAP to function properly: policy validation, NAP enforcement and network restriction, remediation, and ongoing monitoring to ensure compliance. Policy validation System health validators (SHVs) are used by NPS, which is a NAP health policy server and a Remote Authentication Dial-in User Service (RADIUS) server, to analyze the health status of client computers. SHVs are incorporated into network polices that determine actions to be taken based on client health status, such as the granting of full network access or the restricting of network access. Health status is monitored by client-side NAP components called system health agents (SHAs). NAP uses SHAs and SHVs to monitor, enforce, and remediate client computer configurations. Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV) are included with the Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems, and enforce the following settings for NAP-capable computers: • The client computer has firewall software installed and enabled. • The client computer has antivirus software installed and running. 10 • The client computer has current antivirus updates installed. • The client computer has antispyware software installed and running. • The client computer has current antispyware updates installed. • Microsoft Update Services is enabled on the client computer. In addition, if NAP-capable client computers are running Windows Update Agent, NAP can verify that the most recent software security updates are installed based on one of four possible values that match security severity ratings from the Microsoft Security Response Center (MSRC). This test lab will use the WSHA and WSHV to require that client computers have turned on Windows Firewall, and have enabled Windows Update. NAP enforcement and network restriction NAP enforcement settings allow you to limit network access of noncompliant clients to a restricted network, to defer restriction to a later date, or to merely observe and log the health status of NAP- capable client computers. The following settings are available: • Allow full network access. This is the default setting. Clients that match the policy conditions are granted unrestricted access to the network if the connection request is authenticated and authorized. The health compliance status of NAP-capable client computers is logged. • Allow limited access. Client computers that match the policy conditions are placed on the restricted network. • Allow full network access for a limited time. Clients that match the policy conditions are temporarily granted full network access. NAP enforcement is delayed until the specified date and time. In this test lab, you will use the NAP configuration wizard to create two network policies. A compliant policy will grant full network access to the IPsec-protected network. A noncompliant policy will demonstrate network restriction by applying IPsec policies that limit communication of noncompliant NAP clients to computers on the boundary network. Remediation Noncompliant client computers that are placed on a restricted network might undergo remediation. Remediation is the process of updating a client computer so that it meets current health requirements. If additional resources are required for a noncompliant computer to update its health state, these resources must be provided on the restricted network. For example, a restricted network might contain a File Transfer Protocol (FTP) server that provides current virus signatures so that noncompliant client computers can update their outdated signatures. You can use NAP settings in NPS network policies to configure automatic remediation, so that NAP client components automatically attempt to update the client computer when it is noncompliant. This test lab includes a demonstration of automatic remediation. The Enable auto-remediation of client computers setting will be enabled in the noncompliant network policy, causing Windows Firewall to be turned on without user intervention. 11