Network Access Protection, Revisited (Part 4)

by [Published on 30 Oct. 2008 / Last Updated on 30 Oct. 2008]

In this article, we will continue the discussion of Network Access Protection by showing you how to configure the Network Policy Server.

If you would like to read other parts to the article series please read:

In the previous article in this series, I showed you how to configure the VPN component that will be used to allow external users to gain access to our network. In this article, I will continue the discussion by showing you how to configure the Network Policy Server component.

As I have explained earlier in the series, the Network Policy Server’s job is to compare the statements of health that it will receive from PCs that are requesting access to the network against the system health policy. The system health policy dictates what is required of PCs in order for them to be considered healthy.

In the real world, a system health policy would likely require workstations to be running a current Windows operating system, and to have all of the latest security patches. Regardless of what criteria you use to decide whether or not a workstation is healthy, you are going to have to do some work.

For demonstration purposes, we will create a very simple system health validator that simply checks to see if the Windows firewall is enabled. If the firewall is enabled, then we will consider the workstation to be healthy.

As I mentioned earlier in this article series, in the real world you should not host the Network Policy Server on the same box as your VPN server. The VPN server is exposed to the outside world, and if you host the Network Policy Server on this box, then you run a high risk of the Network Policy Server being compromised. There is nothing in Windows that prevents you from using the same server for both the VPN components and the Network Policy Server though, so for demonstration purposes (and because of a lack of hardware) I will be using the same box to host both components.

Configuring a Network Policy Server

Begin the configuration process by entering the MMC command at the Run prompt to open an empty Microsoft Management Console. When the console opens, select the Add / Remove Snap-in command from the console’s File menu. This will cause Windows to display the Add or Remove Snap-Ins dialog box. Select the Network Policy Server option from the list of available snap-ins, and click the Add button. You should now see a prompt asking you if you would like to manage the local computer or another computer. Make sure that the Local Computer option is selected and then click OK. Click OK one more time and the Network Policy Server component will be opened.

At this point, you must navigate through the console tree to NPS (Local) | Network Access Protection | System Health Validators, as shown in Figure A. Now, right click on the Windows System Health Validator object found in the center pane of the console, and select the Properties command from the resulting shortcut menu. This will cause Windows to display the Windows Security Health Validator Properties dialog box, shown in Figure B.


Figure A: Navigate through the console tree to NPS (Local) | Network Access Protection | System Health Validators


Figure B: The Windows Security Health Validator Properties dialog box is used to configure the system health validator

Click the dialog box’s Configure button and Windows will display the Windows Security Health Validator dialog box, shown in Figure C. As you can see in the figure, this dialog box allows you to define your system health validator policy. By default the dialog box is configured to require the Windows firewall to be enabled, Windows update to be enabled, and anti virus and anti spyware protection to be installed and up to date. Since we are only interested in making sure that the Windows firewall is enabled, leave the A Firewall is Enabled for all Network Connections check box selected, but deselect all of the other check boxes. Click OK twice to continue.


Figure C: Select the 'A Firewall is Enabled for all Network Connections' check box and deselect all of the other check boxes

Creating a System Health Policy

Now that you have configured the System Health Validators, you must configure a System Health Policy. System health policies define the system health validation results. Essentially, this means defining what constitutes a pass or fail when the system health validation is performed on a client.

To configure the Network Policy Server’s health policy, navigate though the console tree to NPS (Local) | Policies | Health Policies. Now, right click on the Health Policies container, and select the New command from the resulting shortcut menu. When you do, Windows will display the Create New Health Policy dialog box that’s shown in Figure D.


Figure D: You must create a new system health policy

As you can see in the figure, the dialog box prompts you to enter a name for the new policy. Enter the word Compliant into the Name field. Now, make sure that the Client SHV Checks drop down list is set to Client Passes all SHV Checks. Select the Windows System Health Validator check box and click OK.

We have now created a policy that defines what it means to be compliant. We must now create a second policy that defines what it means for a system to be out of compliance. To do so, right click on the Health Policies container and select the New command from the resulting shortcut menu. You should now see the same screen that you were working with a moment ago.

This time, name the new policy NonCompliant. Set the Client SHV Checks drop down list to use the Client Fails one or More SHV Checks option. Now, select the Windows Security Health Validator check box and click OK. If you return to the Network Policy Server console’s main screen and select the Health Policies container, you should see both the Compliant and the NonCompliant policies displayed in the console’s center pane, as shown in Figure E.


Figure E: If you return to the Network Policy Server console’s main screen and select the Health Policies container, you should see both the Compliant and the NonCompliant template displayed in the console’s center pane

Conclusion

In this article, I have shown you how to configure a system health validator so that Windows will check to see if clients requesting access to the network have the Windows firewall enabled. I then showed you how to create a system health policy that defines what it means to be in and out of compliance with the network health policy.

In the next part of this article series, I will show you how to create health authorization policies. Health authorization policies are the policies that control what happens if a client is compliant with the network health policy, or what will happen if the system that is requesting network access is found to be non compliant. It is these policies that determine what level of access, if any, the client will receive to the network. As this series progresses, I will also be discussing automatic remediation. Remediation refers to fixing health problems on the fly, prior to granting clients network access.

If you would like to read other parts to the article series please read:

Featured Links