Using Group Policy Filtering to Create a NAP DHCP Enforcement Policy (Part 2)

If you would like to be notified when Tom Shinder releases the next part of this article series please sign up to the WindowSecurity.com Real time article update newsletter.

In the first part of this series on how to configure a DHCP NAP enforcement policy we went through some of the basics of how NAP works, and then installed the DHCP and NPS services on the NAP policy server. In this, part two of the series, we’ll look at how to use the NAP policy wizard to automatically create the Network, Health and Connection policies that will be used to control access to the network.

Use the NAP Wizard to Create a NAP DHCP Enforcement Policy

Now we can begin the fun part – creating the NAP DHCP Enforcement Policy. After we run the wizard, the wizard will create the following policies:

• Health Policies
• Connection Request Policies
• Network Policies
• Remediation Server Group policies

We’ll take a closer look at each of these policies after we finish the wizard.

Open the Network Policy Server console from the Administrative Tools menu. From there, you will see in the middle pane of the console the Getting Started page. In the Standard Configuration section, select the Network Access Protection (NAP) option from the Select a configuration scenario from the list and then click the link below to open the scenario wizard.

Now click the Configure NAP link.

Figure 1

On the Select Network Connection Method For Use with NAP page, in the Network connection method section select the Dynamic Host Configuration Protocol (DHCP) option from the drop down list. Remember, when we use NAP, we have to choose an enforcement method, and that’s what you’re doing here. The DHCP server becomes the “network access server” in this scenario and it’s the DHCP server that’s responsible for the level of network access the NAP client can have.

The Policy name text box will automatically be populated with NAP DHCP for the name that will be appended to a number of policies created by the wizard. We’ll see this later when we finish the NAP wizard.

Click Next.

Figure 2

On the Specify NAP Enforcement Server Running DHCP Server page, you can include the IP address of the DHCP server that will act as the network access servers. You use this option when the DHCP server and the NPS server hosting the NAP policies are not located on the same server.

If you want to add remote DHCP NAP enforcement servers, they must be configured as RADIUS clients, which means that you need to configure those machines as NPS servers as well. The difference is that these NPS servers do not host the NAP policy settings. They just proxy the RADIUS requests to the NPS server hosting the NAP policy settings. I recommend that configuration in a large production environment, where the DHCP server and the NAP servers will both be relatively busy. In addition, it’s likely that you’ll have multiple DHCP servers in your company, and you want all of them to be able to communicate with your NAP policy server or servers.

In this example network we are co-locating the DHCP and NPS servers on the same machine, so we won’t add any remote DHCP servers to the list. Click Next.

Figure 3

You have the option to enable NAP on a per-scope basis when using DHCP enforcement. If you don’t want to apply NAP enforcement policy to all DHCP scopes, you can enter the scopes that you do want NAP policy applied to on the Specify DHCP Scopes page. In our example network, we want to enable NAP policy on all scopes, so we won’t enter any specific scopes on this page. Click Next.

Figure 4

You can also allow or deny access to specific groups of users or computers in your NAP policy. In this example we will apply policy to all machines and users. Click Next.

Figure 5

All computers need access to certain servers on the network. These include infrastructure servers, such as Active Directory, DNS, DHCP and WINS servers. All machines will need access to remediation servers, which are machines that non-compliant machines can access in order to reach compliance.

In the Specify a NAP Remediation Server Group and URL page, you click the Group button to open the New Remediation Server Group dialog box. In the New Remediation Server Group dialog box, enter a group name in the Group Name text box. In this example we’ll name the group Network Services.

Click the Add button in the New Remediation Server Group dialog box. This brings up the Add New Server dialog box where you can servers that will be members of the remediation group. In the Add New Server dialog box, enter a name for the server in the Friendly name text box. In this example we’ll enter a name for the domain controller, so we’ll enter DC into this text box. The IP address of the domain controller is 10.0.0.2, so we’ll enter that into the IP address or DNS name text box. If you know the name of the DNS server, you can enter the name in the text box and then click the Resolve button.

Click OK in the Add New Server dialog box.

Figure 6

You now see the name of the remediation server group and the IP address of the server that you added to the group. Remember, the purpose of this group is to remove it from the restrictions of NAP policy. The domain controller in this example is a machine that all domain members needs to be able to communicate with in order to log on. If you don’t allow your NAP clients, compliant or not, to connect to the domain controller, then they won’t be able to log on to the network in order to try to become compliant after log on.

Click OK in the New Remediation Server Group dialog box.

Figure 7

Click Next on the Specify a NAP Remediation Server Group and URL page. Note that we also have the option to enter a Troubleshooting URL on this page. We won’t use one in this example, but it’s something that you can include if you want to point users to a Web page that shows them how to become compliant if their computers end up becoming non-compliant and are unable to auto-remediate.

Figure 8

On the Define NAP Health Policy page, you have the option to select which System Health Validators you want to use to define the Health Policy. By default, there is only a single System Health Validator included with Windows Server 2008, which is the Windows Security Health Validator. Third party vendors have the option to include their own System Health Validators that you can install into the NAP policy server. However, I’m unaware of any of them at this time.

Make sure that there is a checkmark in the Windows Security Health Validator  checkbox. Also, put a checkmark in the Enable auto-remediation of client computers checkbox. This option allows the NAP client components to try to remediate the problem itself if possible. For example, if the Windows Firewall is disabled, the NAP agent will try to enable the Windows Firewall itself.

In the Network Access restrictions for NAP-ineligible client computers, you determine what you want to do with machines that are not NAP capable. You have two options:

• Deny full network access to NAP-ineligible client computers. Allow access to a restricted network only
• Allow full network access to NAP-ineligible client computers

The first option is the more secure one, while the second option is the more liberal one. You selection depends on your design goals for NAP. You might want to allow non-NAP capable computers complete access to the network during your NAP deployment and then after your complete your NAP deployment, then you turn the switch and force all machines to be NAP compliant.

Click Next on the Define NAP Health Policy page.

Figure 9

On the Completing NAP Enforcement Policy and RADIUS Client Configuration page you can see the Health Policies, Connection Request Policy, Network Policies and Remediation Server Group that will be created by the wizard. We’ll take a closer look at each of these policies in a little bit.

Figure 10

Notice that there is a Configuration Details link. When you click that link it will bring up a Web page that provides details about each of the policies that will be created by the wizard.

Figure 11

Summary

In this, part 2 of our series on DHCP enforcement for NAP clients, we went through the NAP policy wizard and explored each of the options provided by the wizard. We saw that the NAP policy wizard makes it relatively simple to create a comprehensive NAP policy, as it creates a number of Network, Health, and Connection policies that control what machines can participate in the network. In the next part of this series, we’ll look at each of these rules in more detail and explain the function and rationale behind each of these rules. See you then! -Tom.

If you would like to be notified when Tom Shinder releases the next part of this article series please sign up to the WindowSecurity.com Real time article update newsletter.