Network Access Protection, Revisited (Part 9)
If you would like to read other parts to the article series please read:
In the previous part of this article series, I showed you how to establish a security group that can be use to designate which computers will be operated using Network Access Protection. In this article, I will conclude the series by showing you how to make a client computer a member of the group that you previously created, and we will perform some tests to make sure that remote access quarantine enforcement is going to be enabled. Finally, I will show you how to connect to your remote access VPN.
Adding Computers to the Group
Our next task that we have to perform is to add some client computers to the security group that we created in the previous article. Begin the process by opening the Active Directory Users and Computers console, and then selecting the container that bears the name of your domain. The reason why we are selecting this container is because we created the security group at the domain level, rather than placing it in the Users container.
When you select the domain level container, you should see the NAP Clients group displayed in the details pane. Double click on this group and Windows will open the group’s properties sheet. Go to the properties sheet’s Members tab and click the Add button. Now, enter the name of a client PC into the space provided. Next, click the Locations button and select the Computers container, and click OK. When Windows returns you to the Select Users, Contacts, Computers, or Groups screen, click the Check Names button to verify that Windows can find your client computer successfully. Click OK twice to complete the process.
Testing Your Group Policy Settings
Now that you have added a client computer to the security group that you have created, it is time to test the client computer to make sure that the NAP related group policy settings are in effect. Before you do though, go ahead and reboot the client machine, and then log in as a standard user.
Once you log in, open a Command Prompt window and enter the following command:
NETSH NAP CLIENT SHOW GROUPPOLICY
When you do, you should see a set of results similar to the ones that are shown in Figure A.
Figure A: Enter the NETSH NAP CLIENT SHOW GROUPPOLICY command at the Command Prompt
As you can see in the figure, there are several different types of enforcement clients built into Windows. This is because there are several different ways that NAP can be deployed. Being that we are using NAP to control access to a VPN server, the only enforcement client that we are interested in is the Remote Access Quarantine Enforcement Client. Look beneath the Remote Access Quarantine Enforcement Client, and ensure that the Admin line is set to Enabled, as shown in the figure above. The other enforcement clients should remain disabled in this particular configuration.
For the next test, enter the following command:
NETSH NAP CLIENT SHOW STATE
As you can see in Figure B, the output from this command is fairly long. Scroll through the output until you locate the Remote Access Quarantine Enforcement Client section. Verify that the Remote Access Quarantine Enforcement Client is initialized.
Figure B: Verify that the Remote Access Quarantine Enforcement Client is initialized
If both of these tests are successful, then the group policy settings related to NAP are successfully being applied to the client. If that is the case, then go ahead and close the Command Prompt window. Otherwise, you will need to go back and double check your configuration.
Creating a VPN Connection
The last step in the configuration process involves setting up our VPN connection to the Remote Access Server. The process for doing so is pretty simple. In Windows Vista, open the Control Panel, and then double click on the Network and Sharing Center icon. When the Network and Sharing Center opens, click the Setup a Connection or Network link, located in the Tasks pane. At this point, you will see a screen similar to the one shown in Figure C, asking you what type of connection you want to create.
Figure C: Choose the Connect to Workplace option, and click Next
Choose the Connect to a Workplace option, and click Next. If there are already network connections present, then Windows will ask you if you want to create a new connection or if you want to use an existing connection. Choose the option to create a new connection, and click Next.
The following screen asks you if you want to use your Internet connection, or if you want to create a direct dial connection. Choose the Use My Internet Connection (VPN) option. You will now be prompted to enter the Internet Address and the destination name. Enter either the RRAS server’s IP address or its URL into the Internet Address field, and then enter a description of the connection into the Destination Name field. You can see an example of this in Figure D. You should also select the Don’t Connect Now check box.
Figure D: Enter the RRAS server’s IP address and a description of the server that you are connecting to
Click Next, and you will be taken to a screen that gives you the option of entering your authentication credentials. Whether or not you save your credentials as a part of the connection’s attributes is up to you. When you are done, click the Create button, and the new connection will be created. Click Close to close the remaining dialog box.
Now that you have created a VPN connection, we have to configure some security settings. To do so, right click on the connection that you just created, and then choose the Properties command from the resulting shortcut menu.
When Windows opens the connection’s properties sheet, go to the Security tab, and select the Advanced option. Next, click the Settings button.
Windows will now display the Advanced Security Settings dialog box, shown in Figure E. Select the Require Encryption (Disconnect if Server Declines) option from the Data Encryption drop down list. Next, select the Use Extensible Authentication Protocol (EAP) option, and then choose the Protected EAP (PEAP) (Encryption Enabled) option from the Logon Security section.
Figure E: You must configure the connection to use PEAP
At this point, you must click the Properties button. When you do, Windows will display the Protected EAP Properties dialog box, shown in Figure F. Make sure that the Validate Server Certificate and the Connect to these Servers check boxes are selected. You should also make sure that the text box beneath the Connect to These Servers option contains a listing for the correct server.
Figure F: The authentication method must be set to EAP-MSCHAP V2)
The middle section of the dialog box contains a list of various certificate authorities. For the sake of simplicity, go ahead and select the check boxes next to each listed certificate authority. In the lower section of the dialog box, you should ensure that the Select Authentication Method option is set to Secure Password (EAP-MSCHAP v2) and that the Enable Quarantine Checks check box is selected.
The next step in the process is to click the Configure button, and then select the Automatically Use My Windows Logon Name and Password (and Domain if Any) check box. Click OK four times to close the various dialog boxes.
At this point, we are finally ready to put NAP to the test. As you may recall, you can require clients to meet any number of health criteria, but for demonstration purposes, we are only requiring the Windows Firewall to be enabled on the client machine. That being the case, open the Windows Security Center on the client machine, and turn the Windows Firewall off. When you are done, I recommend leaving the main Windows Security Center screen, shown in Figure G, open so that you can verify the status of the Windows Firewall.
Figure G: Ensure that the Windows Firewall is turned off
Now, open the Control Panel and double click on the Network and Sharing Center icon. When the Network and Sharing Center opens, click the Connect to a Network link. Next, Click on the VPN connection that you created earlier, and click the Connect button. When prompted, enter your authentication credentials, and click the Connect button. As Windows registers your computer on the network, the Windows Firewall should be automatically turned on, as shown in Figure H.
Figure H: NAP should automatically enable the Windows Firewall when the VPN connection is established
As you can see, configuring your Remote Access Server to use Network Access Protection is a rather tedious process. Even so, it is usually worth the effort, because doing so helps you to better ensure your network’s security.
If you would like to read other parts to the article series please read: