Using Group Policy Filtering to Create a NAP DHCP Enforcement Policy (Part 1)

If you would like to read other parts to this article please go to:

If you would like to be notified when Tom Shinder releases the next part of this article series please sign up to the WindowSecurity.com Real time article update newsletter.

Network Access Protection is a new network access control feature included with Windows Server 2008. Network Access Protection or NAP allows you to control which computers can participate on your network. The ability to participate on your network is determined by whether or not a NAP client computer can meet the security requirements set forth in your NAP policies.

NAP has a number of “moving parts” that makes it inherently complex to configure. In addition to the number of moving parts, is the issue of what type of NAP enforcement you want to enable. For example, there are a number of NAP Enforcement Clients that control access to the network based on IP addressing information, or based on whether or not a client has a health certificate that allows it to connect to the network.

In this article series I will help you put together a simple DHCP NAP enforcement solution. When you use DHCP NAP enforcement, the DHCP server becomes your network access server. This means that it’s the responsibility of the DHCP server to provide the NAP client computers information appropriate to their level of compliance. If the NAP client computer is compliant, it receives IP addressing information that will allow it to connect to other computers on your network. If the NAP client computer is not complaint with your network health policies, then the NAP client will be assigned IP addressing information that limits what computers the client can connect to. Typically, your NAP policy will allow your non-compliant computers to connect to domain controllers and network infrastructure server, as well as machines that will enable the non-compliant computer to remediate and thus become compliant.

In the DHCP NAP Enforcement scenario, other servers are required. While the DHCP server is the network access server in this scenario, you need a RADIUS server that will contain your NAP policies. There are a number of policies that are stored on the NAP compatible RADIUS server, such as health policies, network policies, and connection request policies. In Windows Server 2008, the Network Policy Server (NPS) is used as the RADIUS server that will contain your NAP policies. The NPS server will work with your DHCP server and inform your DHCP server if the client is NAP compliant or non-compliant with your policies.

In order to set your heath policy, you will need at least one Security Health Validator (SHV) installed on the NPS server. By default, Windows Server 2008 provides you with the Windows Security Health Validator that you can use to set your network health policies.

On the client side, there are two components that you need to enable – the NAP Agent and the NAP Enforcement client. The NAP Agent collects the information about the security state of the NAP client computer and the NAP Enforcement Agent is used to enforce NAP policy, depending on the type of NAP enforcement you choose. In the scenario we’ll use in this series, we’ll be enabling the DHCP NAP enforcement agent.

The example network is a very simple one. It includes three machines:

  • A Windows Server 2008 Domain Controller. No other services are installed on this machine. The IP address assigned to this computer is 10.0.0.2 and this machine is the domain controller in the msfirewall.org domain.
  • A Windows Server 2008 member in the msfirewall.org domain. The IP address of this computer is 10.0.0.3. This computer will have the DHCP and NPS services installed on it, which we will do during the course of this article series.
  • A Windows Vista client computer. This machine is a member of the msfirewall.org domain.
  • In this article series we’ll perform the following procedures:
  • Create a Security Group that the NAP client computers will be placed in
  • Install NPS and DHCP services on the member server
  • Use the NAP wizard to create the NAP DHCP enforcement policy
  • Review the NAP Connection request policy
  • Review the NAP Network policies
  • Review the NAP Health policies
  • Configure the DHCP server to communicate with the NPS server for NAP enforcement
  • Configure the NAP settings in Group Policy
  • Enter the Vista computer into the NAP enforcement computers group
  • Test the solution

Again, there are a number of “moving parts” to the configuration of NAP, so read through these instructions a couple of times before implementing it in your own lab. Make sure that you understand why we’re doing each step, and never hesitate to contact me at [email protected] if you have any questions about the configuration.

Let’s get started!

Create a Security Group for NAP Client Computers

The first thing we’ll do is create a security group for the computers that will have NAP policy applied to them. Open the Active Directory Users and Computers console and then right click on the Users node. Point to New and click Group.


Figure 1

In the New Object – Group dialog box, enter NAP Enforced Computers in the Group Name text box. Select the Global option from the Group scope list and select the Security option from the Group type list. Click OK.


Figure 2

Install NPS and DHCP on the NPS Server Machine

The NPS computer will host the Network Policy Server and the DHCP server roles. Note that you can put the DHCP server on a computer other than the NPS server that will host the NAP policies, but you will still need to configure that “remote” DHCP server as both a DHCP server and a NPS server, and then configure that NPS server for forward the authentication requests to your NAP server. To make things a little easier, we’ll just put the NPS and DHCP server on the same machine.

In the Server Manager console, click on the Roles node and then click on the Add Roles link as seen in the figure below.


Figure 3

Click Next on the Before You Begin page.


Figure 4

On the Select Server Roles page, put a checkmark in the DHCP Server and Network Policy and Access Services checkboxes. Click Next.


Figure 5

Read the information on the Network Policy and Access Services page and then click Next.


Figure 6

We don’t need all the role services provided by the Network Policy and Access Services role. We only need the RADIUS (Network Policy Server) role. Put a checkmark in the Network Policy Server checkbox. Don’t select any of the other options. Click Next.


Figure 7

Read the information on the DHCP Server page and click Next.


Figure 8

The Server Manager makes life a bit easier on us than in the past, as it offers us the opportunity to configure the DHCP server during the installation process. On the Select Network Connection Bindings page, select the IP address that you want the DHCP server to listen on. The selection you make here depends on the complexity of your DHCP environment, as you might have one of more DHCP relays configured in your organization and thus have more than one IP address bound to the DHCP server. That’s not the case in this scenario, as we have a single IP address bound to this machine. Put a checkmark in the IP address checkbox and then click Next.


Figure 9

On the Specify IPv4 DNS Server Settings page, you have the chance to configure some DHCP options. Enter the domain name of your domain in the Parent Domain text box and enter the IP address of your DNS server in the Preferred DNS Server IPv4 Address text box. In this example our domain name is msfirewall.org so we’ll enter that domain name and the IP address of our DNS server is 10.0.0.2, so we’ll enter that IP address. We don’t have an alternate DNS server in this example so we’ll click Next.


Figure 10

We don’t have a WINS server on this example network so we won’t enter anything on the Specify IPv4 WINS Server Settings page. Just select the WINS is not required for applications on this network option and click Next.


Figure 11

In the Add or Edit DHCP Scopes page, click the Add button. In the Add Scope dialog box, enter the Scope Name, Starting IP Address, Ending IP Address, Subnet Mask, Default Gateway, and select a lease duration. The figure below shows our entries for these options on the example network. Click OK in the Add Scope dialog box.


Figure 12

Click Next on the Add or Edit DHCP Scopes dialog box.


Figure 13

We are not using IPv6 on this example network, so select the Disable DHCPv6 stateless mode for this server option and click Next.


Figure 14

In order to operate in our domain, this DHCP server needs to be authorized in Active Directory. Select the Use current credentials option if you’re logged in as a domain administrator. If not, then select the Use alternate credentials option and click Specify. In this example I’m logged on as a domain admin and so we’ll select the Use current credentials option and then click Next.


Figure 15

Review your settings in the Confirm Installation Selections page and click Install.


Figure 16

Click Close on the Installation Results page after you see that the installation of the NPS and DHCP servers has completed successfully.


Figure 17

Summary

In this, part 1 in our series of using NAP DHCP enforcement we went over some basic NAP concepts. Then we created a security group for our NAP client computers and then finished up with installing the DHCP and NPS server components of the solution. In the second part of the series, we’ll use the NAP wizard to create a NAP DHCP enforcement policy and then take a closer look at the settings created by the wizard. See you then! -Tom.

If you would like to read other parts to this article please go to:

If you would like to be notified when Tom Shinder releases the next part of this article series please sign up to the WindowSecurity.com Real time article update newsletter.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top