Network Access Protection, Revisited (Part 8)

If you would like to read other parts to the article series please read:

Network Access Protection, Revisited (Part 1)

  • Network Access Protection, Revisited (Part 2)
  • Network Access Protection, Revisited (Part 3)
  • Network Access Protection, Revisited (Part 4)
  • Network Access Protection, Revisited (Part 5)
  • Network Access Protection, Revisited (Part 6)
  • Network Access Protection, Revisited (Part 7)
  • Network Access Protection, Revisited (Part 9)
  • In the previous article I showed you how to request a computer certificate and how to associate that certificate with your VPN server. In this article, I want to turn my attention towards clients who will be connecting to the VPN server. The client computers must be running Windows Vista or Windows XP with SP3 or higher, and must be domain members. Just as importantly though, they must be configured to run an enforcement client component. We will enable this component through the group policy. In this article, I will show you how.

    Creating a Security Group

    The thing about creating a Network Access Protection related group policy is that you probably do not want for it to apply to all of the computers on the network. Network servers for example, will probably never be connecting through the VPN, and therefore should not be configured as Network Access Protection clients. Because we need to discriminate between computers that need to act as Network Access Protection clients and those that do not, we will begin the process by creating a security group that we can apply the policy settings to.

    To create the necessary security group, open the Active Directory Users and Computers console. When the console opens, right-click on your domain and then choose the New | Group commands from the resulting shortcut menus. When you do, Windows will open the New Object – Groups dialog box. Go ahead and specify NAP Clients as the name of the group. Make sure that the group’s scope is set to Global, and make sure that the group type is set to Security. Click OK to create the group.

    Install the Group Policy Management feature

    The next thing that you will have to do is to install the Group Policy Management feature so that you can modify the various group policy settings. To do so, open Server Manager and go to the Features Summary section. Click the Add Features link, and you will be taken to a screen that shows you which features are currently installed. If it is not already installed, select the check box corresponding to the Group Policy Management feature. Finally, click Next, followed by Install. When the installation process completes, go ahead and click Close to close the wizard. You can also close the Server Manager at this point.

    Creating the Group Policy Settings

    Now that the necessary security group is in place, and we have installed the Group Policy Management feature, it is time to go ahead and configure the necessary group policy settings. Begin the process by entering the GPME.MSC command at the Run prompt. When you do so, Windows will display a dialog box which allows you to choose which of the existing group policies you want to edit. Rather than editing one of the existing group policies, we need to create a new group policy object.

    You can accomplish this by clicking the Create New Group Policy Object button which is found just to the right of the listing for your domain. Upon clicking this button, you will be prompted to enter the name of the new group policy object that you are creating. For our purposes, let us call the new group policy object NAP Client Settings.

    Now that the new group policy object has been created, select it and click OK. This will cause Windows to open the Group Policy Management Editor. You must now navigate through the console tree to Computer | Configuration | Policies | Windows Settings | Security Settings | System Services. Now, double-click on the listing for Network Access Protection Agent, found in the details pane.

    Windows should now open the Network Access Protection Agent Properties dialog box. Select the Define This Policy Setting check box, and then choose the Automatic startup option. Click OK to close the dialog box.

    Now, navigate through the console tree to Computer Configuration | Policies | Windows Settings | Security Settings | Network Access Protection | NAP Client Configuration | Enforcement Clients. Upon doing so, the details pane will display a list of the various enforcement clients that are available. Right-click on the Remote Access Quarantine Enforcement Client, and then choose the Enable command from the shortcut menu. Now, go back to the NAP Client Configuration container, right-click on it, and then choose Apply.

    Now, go back through the console tree to Computer Configuration | Policies | Administrative Templates | Windows Components | Security Center. Double-click on the Turn on Security Center (Domain PCs Only) container shown in the details pane. When you do, Windows will display the Turn on Security Center (Domain PCs Only) Properties dialog box. Choose the Enabled option, and click OK. This will ensure that the Security Center is accessible from client PCs. This is important since we are going to be testing Network Access Protection for ability to detect whether or not the Windows firewall is currently enabled.

    To complete the process, click OK and then close the Group Policy Management Editor. In some cases you may receive a prompt asking you if you want to apply the changes that you have made to the group policy object. If you receive such a prompt, then be sure to apply the changes.

    Configuring Security Filters

    The next thing that we have to do is to apply some security filters that will prevent Network Access Protection clients’ settings from being applied to network servers. To configure the necessary filters, enter the GPMC.MSC command at the Run prompt. This will cause Windows to open the Group Policy Management Console. Navigate through the console tree to Domain | your domain | Group Policy Objects | NAP Client Settings.

    If you look at the details pane, you will notice the section labeled Security Filtering toward the bottom of the screen. By default, the policy applies to authenticated users. We need to change this so that the policy is not globally applied to anyone who is logged in. Click on the Authenticated Users listing, and then click the Remove button. Click OK when Windows asks you if you are sure.

    Now, click the Add button. Windows should ask you to select a user, computer, or group that you want to use as a security filter. Enter NAP Clients into the space provided, and click the Check Names button. Assuming that the name resolves successfully, click OK.

    Conclusion

    Now all of the necessary group policy settings are in place. In the next article in this series, I will show you how to add your client computer to the security group that we have created in this article. From there, I will show you how to do some simple tests to make sure that the group policy settings that we have defined are being applied in the correct manner. We will then go on to test Network Access Protection, and ensure that it is able to detect whether or not the Windows firewall is enabled on the client PC.

    If you would like to read other parts to the article series please read:

    Network Access Protection, Revisited (Part 1)

  • Network Access Protection, Revisited (Part 2)
  • Network Access Protection, Revisited (Part 3)
  • Network Access Protection, Revisited (Part 4)
  • Network Access Protection, Revisited (Part 5)
  • Network Access Protection, Revisited (Part 6)
  • Network Access Protection, Revisited (Part 7)
  • Network Access Protection, Revisited (Part 9)
  • About The Author

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Scroll to Top