1 / 38

Windows Clients and Windows Server 2008 NAP: Why They Are Better Together

Windows Clients and Windows Server 2008 NAP: Why They Are Better Together. Jayson Ferron CIO Interactive Security Training WSV206. Windows Clients and Windows Server 2008 NAP: Why they a re b etter together.

lida
Download Presentation

Windows Clients and Windows Server 2008 NAP: Why They Are Better Together

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Clients and Windows Server 2008 NAP: Why They Are Better Together Jayson Ferron CIO Interactive Security Training WSV206

  2. Windows Clients and Windows Server 2008 NAP: Why they are better together • In the talk you see why using the built functionality of Windows in both the client and server makes a compelling argument for introducing this technology into your company • We will explore the required services and configurations that an administrator needs to understand in planning NAP • We will cover new features that are in Windows 7 and Server 2008 r2

  3. What is Network Access Protection (NAP) • Protect from Malware threats • We will talk about • using malware prevention technologies, how NAP provides centralized definition, integration, and enforcement of system health requirements to help prevent the exposure to malware on a private network • What is required to Setup NAP • What’s new With Windows 7 and Server 2008 • With demos along the way

  4. Network Access Protection Overview • The NAP platform requires servers running Windows Server 2008 or later and NAP-aware clients: • Windows XP SP3 and later • Windows Server 2008 and later • Additional Hardware Switched network that supports 802.1X • Set of operating system components that provide a platform for system health-validated access to networks • An architecture through which policy validation, network access limitation, automatic remediation, and ongoing compliance can occur • Additional components supplied by third-party software vendors or Microsoft

  5. Why NAP • We do not trust users to install all patches and updates as required and need to Verify that system are in compliance • Do the systems have: • current anti-virus software? • current anti-spyware? • current corporate-approved patches? • host-based statefull enabled? • What other configuration settings are required for adherence to the organization’s security policies?

  6. NAP is an Additional Layer in Network Security • Network Access Protection is not a silver bullet for network security • NAP is about stopping the next big virus or vulnerability by ensuring clients are well maintained and isolated if deemed unhealthy • NAP is not designed for: • blocking unauthorized users • rogue machine control • software distribution control • NAP is a flexible health control solution that is reliant on other mechanisms to solve these issues

  7. NAP Walkthrough UntrustedNetwork Boundary Network Secure Network DHCP CA Here it is. May I have a health certificate? Here’s my SoH. Issue me a health certificate. Client OK? Yes. Issue health certificate. No. Needs fix-up. You don’t get a health certificate. Go fix up. HRA Here’syour health certificate.  NPS X Client I need updates. Accessing the network Here you go. Remediation Server

  8. NAP Components Platform Components Enforcement Components Health Components • System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.). • Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC. • Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs. • Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies. • System Health Validators (SHV) = Certify declarations made by health agents. • Network Access Devices = Provide network access to healthy endpoints. • Health Requirement Servers = Define health requirements for system components. • Health Registration Authority = Issues certificates to clients that pass health checks. • Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state. Health Requirement Servers Remediation Servers Health Policy Updates Client Network Access Requests Health Statements Network Policy Server SHA<n> Health Result Health Certificate NAP Agent SHV<n> Network Policy Server QEC 1 QEC 2 Health Registration Authority

  9. System Health Agent Options • Allows for multiple configurations of SHA deployments • Windows SHA • Antivirus settings • Antispyware settings • Firewall settings • Windows Updates Settings • System Center Configuration Manager 2007 (SCCM) SHA • Patch Management • Forefront Client Security (FCS) SHA • 3rd party SHAs

  10. SoH Renewal Processing • Client SoH is revalidated when: • Health certificate approaches 80% of validity time • Network state changes • Changes in client configuration detected by an SHA • Group policy is updated

  11. How NAP Integrates with IPsec • NAP evaluates computer health and issues a “health certificate” through a Health Registration Authority (HRA) • Compliant hosts receive a health certificate • Noncompliant hosts are denied • Non NAP-capable hosts receive “health exemption” certificates through AutoEnrollment • IPsec policy is configured to require health certificate for Tunnel and/or Transport Mode • Can be combined with optional user-level authentication

  12. NAP Components • Network Policy Server (NPS) • Certification Authority (CA) • Health Registration Authority (HRA) • NAP Agent with IPSec Relying Party

  13. Health Registration Authority • The Health Registration Authority (HRA) is used to issue health certificates to clients that satisfy health checks • Web service receiving requests from the NAP clients • HRA is a new Windows Server 2008 or Windows Server 2008 R2 role • Health certificates are regular X.509 certificates with a very short lifetime (on the order of hours) • System Health Authentication OID in the certificate

  14. Network Policy Server • Network Policy Server (NPS) is used by the HRA to validate the SoH • NPS receives computer credentials and SOH from HRA using RADIUS protocol • SoH is evaluated by SHVs running on the NPS server, and results matched against the Health policies • Network policies are then used to authorize or deny network connection requests

  15. Network Policy Options • Allow full network access • Allow full network access for limited time • Enforcement is deferred until a later date • Limited network access • Access is restricted to remediation servers

  16. myVPC Network Policy Server (NPS) Name Title Company

  17. Certification Authority • Issues health certificates for NAP-compliant machines • Certificate Authority requirements: • Enterprise or standalone subordinate CA under a trusted Root CA • Windows Server 2003 or later • Recommended that dedicated health certificate-issuing CAs are deployed • No revocation is typically required due to short certificate lifetime • High volume of certificates issued could impact other services also relying on the CA

  18. myVPC Certification Authority (CA

  19. IPsec Relying Party • The IPsec Relying Party is a component of the NAP Agent that obtains a health certificate from the Health Registration Authority (HRA) • Also interacts with the following: • Certificate store: Stores the health certificate • IPSec components in Windows: Ensures that health certificates are used for IPSec-based communication • Host-based firewall (such as Windows Firewall): Ensures that IPSec-protected traffic is allowed by the firewall

  20. Health Registration Authority (HRA) Configuration • Exposed to the Internet to receive health information and issue certificates to external clients • Forefront TMG/UAG can be used to securely publish HRA web services • Forwards requests to internal NPS and CA servers • NPS proxy installed on the HRA servers • Multiple HRAs load balanced for high availability • Use of HRA Discovery to publish HRA information using DNS

  21. Network Policy Server (NPS) Configuration • NPS servers configured in the internal network, receiving the RADIUS requests from the HRAs • Multiple NPS servers configured in Server Group for high availability • Configuration stored locally, use scripts to replicate • Configure NPS logging • Allows logging to text files or database (ODBC) • Best practice is to log to local database, replicate to central SQL repository

  22. Certification Authority (CA) Configuration • Microsoft Certificate Services required • Can be configured either as Stand-Alone or Enterprise CA • Requires security permissions to enable HRA to request and manage certificates • Also certificate template permissions for Enterprise CAs • Best practice is to dedicate CA to Health Certificates • Volume of certificate requests would overwhelm existing CAs and make certificate database management hard • Windows Server 2008 R2 CA allows non-persisted certificate requests

  23. NAP Client Configuration • Enable NAP Agent service and IPsec Relying Party • Configure HRA URLs • Install and enable SHAs • For Windows SHA, turn on Security Center • Configure IPSec policy to use health certificates

  24. NAP Health Exemptions • Use AutoEnrollment to enroll “Health Exemption” certificates to systems exempt from NAP compliance • Define group for DA clients exempt from NAP • Create certificate template with the following attribute: • Custom application policy – “Server Health” • OID = “1.3.6.1.4.1.311.47.1.1” • Grant enroll and autoenroll permissions to group

  25. Remediation Servers • Any service that needs to be available to clients for remediation to happen • Depend on what SHAs are being used by organization • Remediation Servers need to be reachable from unhealthy clients • Publish remediation servers externally to the Internet • Use separate DA server and IPv6 subnet for remediation servers • Require additional (non-health) client certificate to secure access to remediation subnet

  26. announcing New for Windows 7 and Windows Server 2008 R2

  27. Network Policy Server (NPS) new features in Windows Server 2008 R2: • NPS Templates and Templates Management • RADIUS accounting improvements • Full support for international, non-English character sets using UTF-8 encoding

  28. Network Access Protection (NAP) new features in Windows Server 2008 R2 and Windows 7 • Multi-configuration SHV • NAP client user interface improvements.

  29. Multi-Configuration SHV • SHVs define configuration requirements for computers that attempt to connect to your network, via wired, wireless, or VPN • With multi-configuration SHV, a single NAP health policy server can be used to deploy multiple configurations of the same SHV

  30. NAP Walkthrough Untrusted Network Boundary Network Secure Network DHCP CA Here it is. May I have a health certificate? Here’s my SoH. Issue me a health certificate. Client OK? Yes. Issue health certificate. No. Needs fix-up. You don’t get a health certificate. Go fix up. HRA Here’s your health certificate.  NPS X Client I need updates. Accessing the network Here you go. Remediation Server

  31. demo Putting it all together

  32. Windows Clients and Windows Server 2008 R2 NAP: Why They Are Better Together • In the talk you seen why using the built functionality of Windows in both the client and server make a compelling argument for introducing this technology into your company. • We have will explore the required services and configurations that a administrator need to understand in planning NAP. • We covered some of new features that are in Windows 7 and Server 2008 r2

  33. question & answer

  34. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Resources • www.microsoft.com/teched Sessions On-Demand & Community • www.microsoft.com/learning • Microsoft Certification & Training Resources • http://microsoft.com/technet • Resources for IT Professionals • http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources

  35. Windows Server Resources Make sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter Learn More about Windows Server 2008 R2: www.microsoft.com/WindowsServer2008R2 Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies Over 15 booths and experts from Microsoft and our partners

  36. Required Slide Complete an evaluation on CommNet and enter to win!

  37. Required Slide © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related