Using Group Policy Filtering to Create a NAP DHCP Enforcement Policy (Part 4)

If you missed the previous articles in this series please read:

In the first three articles in this series on how to configure a NAP DHCP Enforcement policy, we went over the basics of NAP and then created a DHCP Enforcement policy on the NPS server that hosts the NAP policies. In this, part 4 and the final article in the series, we’ll finish up the configuration by settings up the DHCP server to work with the NPS server and the NAP policies, and then configure Group Policy so that NAP policy and NAP components are automatically configured for any machine that belongs to the NAP computers security group in Active Directory. At the end, we’ll finish up by testing the solution to see if it actually works.

Configure the DHCP Server

Now that we have the NAP policies set up with the help of the NAP wizard, we can move our attention to configuration of the DHCP server. Remember, the DHCP server is the network access server in a DHCP NAP scenario, and so we need to configure the DHCP server to communicate with the NAP components in order to work.

Open the DHCP console from the Administrative Tools menu. In the DHCP console, expand the server name, then expand the IPv4 node, and then expand the Scope node. Click on the Scope Options node. Right click on an empty area in the right pane as seen in the figure below, and click the Configure Options command.


Figure 1

In the Scope Options dialog box, click on the Advanced tab. In the Vendor class drop down box, make sure that it says DHCP Standard Options. In the User class drop down list box, make sure that you select the Default Network Access Protection Class entry. The DHCP option that we’re going to configure here will be applied to clients to identify themselves as NAP clients that are non-compliant.

In the list of Available Options, find the 006 DNS Servers entry and put in the IP address of the DNS server in the IP address text box and then click Add.


Figure 2

Find the 015 DNS Domain Name option and enter in the String value text box a name that will be used by non-compliant NAP clients. This will allow you to easily identify non-compliant computers. Click OK.


Figure 3

You will now see entries for both the None and the Default Network Access Protection Class. The latter class options will be assigned to non-compliant computers when DHCP enforcement is used with NAP.


Figure 4

But before NAP can use these settings, we need to configure the scope to work with NAP. Click on the Scope node under the IPv4 node in the left pane of the console and then right click it. In the Scope Properties dialog box, click the Network Access Protection tab. Select the Enable for this scope option and then select the Use default Network Acce3ss Protection profile option.

The Use custom profile option looks interesting, but there is no documentation on the Internet, including the www.microsoft.com Web site, that provides any information on how this option might be used. I’ll blog about this in the future if I figure out how to make this work.

Click OK in the Scope Properties dialog box.


Figure 5

Configure NAP Settings in Group Policy

While we can manually configure NAP on each machine that will participate in our NAP security framework, manual configuration is not very scalable. To solve this problem, Microsoft has included the necessary Group Policy extensions required to make NAP configurable from Group Policy.

There are three things we need to do in Group Policy to centralize the configuration:

  • Enable the NAP Agent on the machines participating in NAP
  • Configure the NAP Enforcement Agent (in this case, it will be the DHCP NAP Enforcement Agent)
  • Configure the Group Policy Object to apply only to machines that belong to the security group containing the machines that will participate in NAP network access controls.

Before performing the following steps, you need to create a Group Policy Object named NAP Client Settings. This can be done in the Group Policy Management Console. If you don’t know how to do this, check the Help in the Group Policy Management console, as it’s quite easy. Make sure that the Group Policy Object is in the domain that your computers are in.

Enable the NAP Agent

After you create the NAP Client Settings Group Policy Object, open that GPO in the Group Policy Management Editor. You can do that by right clicking on the GPO in the Group Policy Management Console and then clicking the Edit command.

In the Group Policy Management Editor, expand the Computer Configuration node and then expand the Policies node. Expand the Windows Settings node and then click the System Services node.

In the System Services node, you’ll see an entry in the right pane for Network Access Protection Agent. Double click on that entry. In the Network Access Protection Agent Properties dialog box, put a checkmark in the Define this policy setting checkbox and then select the Automatic option. Click OK.

These steps enable the NAP agent on co9mputers where this GPO is enforced. The NAP Agent has to be enabled in order for NAP processing to work correctly.


Figure 6

Enable the DHCP Enforcement Client

The next step is to enable the DHCP Enforcement Client on the NAP enabled computers. In the Group Policy Management editor, expand the Computer Configuration, expand the Windows Settings node, and then expand the  Network Access Protection node. Expand the NAP Client Configuration node and then click on the Enforcement Clients node.

When on the Enforcement Clients node, the right pane of the console will show the various enforcement clients available for NAP. You can enable one or more enforcement methods; you are not limited to a single enforcement client. In this example we are using only DHCP enforcement, so right click on the DHCP Quarantine Enforcement Client entry and click Enable, as seen in the figure below.


Figure 7

Click on the NAP Client Configuration node in the left pane of the console as seen in the figure below. Right click on the NAP Client Configuration node and then click Apply. This applies the Enforcement Client settings into Group Policy.

I have found that there times when the Enforcement Client settings do not “take”. This has lead to a confusing and time consuming troubleshooting exercise for me in the past. What you might want to do is after you apply the Enforcement Client settings is to close the Group Policy Management Console and the Group Policy Management Editor and then open them again and check the Enforcement Client Settings. If you find that the Enforcement Client Settings are not enabled, then enable them again. Usually after the second attempt they will keep.


Figure 8

Use Group Policy Security Filtering to Apply the GPO to the NAP Enforced Computers Security Group

Our final step in Group Policy is to apply the GPO settings in the NAP Client Settings GPO to the computers that belong to the NAP Enforced Computers security group that we created earlier. Open the Group Policy Management console and then expand the forest name and then expand the domains node. Then expand your domain name and click on the NAP Client Settings GPO.

In the right pane of the console you’ll see a section named Security Filtering. You can use this feature to apply the Group Policy settings in this GPO to the security group we created for the NAP client computers.

In the Security Filtering section, click on the Authenticated Users entry and click the Remove  button.


Figure 9

You will see a Group Policy Management dialog box asking if Do you want to remove this delegation privilege? Click OK.


Figure 10

Now click the Add button. This will bring up the Select User, Computer or Group dialog box. Enter NAP Enforced Computers in the Enter the object name to select text box, and click Check Names to confirm that the group can be found. Then click OK.


Figure 11

You will now see in the Security Filtering section the security group that the NAP enabled computers will be placed in.


Figure 12

Enter the Vista Computer into the NAP Enforced Computers Security Group

With the Group Policy settings in place, we are ready to put our Vista client computer into the NAP Enforced Computers security group. Open the Active Directory Users and Computers console and click the Users node in the left pane of the console.

Double click on the NAP Enforce Computers entry. This brings up the NAP Enforced Computers Properties dialog box. Click the Members tab and then click the Add button.

In the Select Users, Contacts, Computers or Groups dialog box, enter the name of the computer that will participate in NAP enforcement. In this example, we have a domain member computer named VISTA2 and we’ll enter that into the Enter the object names to select text box.


Figure 13

If the machine that you want to participate in the NAP enforcement group hasn’t yet joined the domain, you can instead create the computer account in the Active Directory by using the Add Computer option in the Active Directory Users and Computers console. You can then later join this machine to the domain. In the example network that we’re using in this article, the VISTA2 computer is already a domain member.

At this point you might want to consider running the gpupdate /force command on the domain controller. Also, if your NAP enforced computers are already joined to the domain, you might want to restart those computers so that the new Group Policy settings are applied.

The most problematic area in the NAP solution are the Group Policy timings. In a production network you’ll have plenty of time to wait for Group Policy propagation, but in a lab environment we tend to get impatient and want things to work right away. If you find that the settings aren’t being applied to the client, then be patient. Restart the client a couple of times or run the gpupdate /force command on the client. If NAP still isn’t working, then recheck all of your settings in the NAP configuration and also in Group Policy. There are a lot of “moving parts” and it’s easy to miss a step.

Now let’s see the NAP solution in action.

Test the Solution

Remember that when you’re using DHCP enforcement, the clients must be using DHCP to obtain IP addressing information. When you open a command prompt and run the ipconfig command, you will IP addressing information for the DHCP client. In the figure below, you can see that the this client is not NAP compliant, as it received the domain name restricted.msfirewall.org, which is a DHCP option we created for non-compliant NAP clients.


Figure 14

At the command prompt, run the Route Print command. Notice the routes to the DHCP server and the domain controller. Notice that there are no other routing interfaces to the on subnet network ID. This means that this NAP client will be able to reach the DHCP server and the domain controller, but no other machines on the network. This machine is locked down because the routing table entries prevent access to any other IP addresses except those we’ve configured in NAP (remember that the domain controller is in the remediation group, and the DHCP is automatically allowed since it is the network access server that controls the level of network access).


Figure 15

These findings are what you would see if the machine were not joined to the domain or if the NAP settings aren’t being applied to the client.

Now let’s see what things look like when the NAP settings are applied.

Run the ipconfig command again and you’ll see that you get the non-restricted domain name assigned to the client.


Figure 16

Run the Route Print command. Here you’ll see that we have a default gateway configured. In addition, we now have a routing interface to the on subnet network ID. The special routing interfaces to the DHCP server and the domain controller have been removed.


Figure 17

Let’s test the auto-remediation feature. Recall that we enabled auto-remediation in the Windows Security SHV. This allows the NAP Agent to try and fix security problems that might crop up on the NAP client. For example, if the firewall is disabled on the NAP client, the NAP Agent can turn the firewall back on.

In the figure below, you can see that I’ve turned off the Windows Firewall on the Vista client. Try this on your own Vista client.


Figure 18

Wait a few second. Bam! You’ll see that the state of the Windows firewall automatically changes to being on again without any intervention on your part.


Figure 19

Note that you didn’t see anything in the system tray for this. If you want to see a system tray notification, then you’ll need to configure things so that the NAP Agent will not be able to auto-remediate. If you go back to the Windows SHV on the NPS server, you can change it so that an AV program is required. If there is no AV program on the client, then you’ll see a system tray notification balloon regarding the security configuration of the computer does not meet network requirements. If you click the balloon, you’ll see a dialog box like that in the figure below.


Figure 20

Summary

In this, the last part of our four part series on using DHCP enforcement with NAP, we went over the DHCP server configuration and then set things up in Group Policy to automate policy deployment. We then finished up by testing the solution and confirming the NAP DHCP policy enforcement actually worked. And it did! In the future I’ll do more articles NAP configuration using different enforcement methods. Then we’ll take a closer look at more sophisticated options, such as using multiple NAP and DHCP servers (or enforcement servers). See you then! -Tom.

If you missed the previous articles in this series please read:

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top