Network Access Protection, Revisited (Part 5)

by [Published on 11 Nov. 2008 / Last Updated on 11 Nov. 2008]

This article continues the series on Network Access Protection by examining the process for creating authorization policies.

If you would like to read other parts to the article series please read:

In the previous article in this series, I showed you how to configure a system health validator that checks to see if clients requesting access to the network have the Windows firewall enabled. I then showed you how to create system health policies that define what it means for clients to be healthy or unhealthy.

In this article, I will continue the discussion by showing you how to create network policies. Network policies are the policies that control what happens if a client is compliant with the health policy, or what will happen if the system that is requesting network access is found to be non compliant. It is these policies that determine what level of access, if any, the client will receive to the network.

Creating Network Policies

Begin the process by opening the Network Policy Server console and selecting the console’s Network Policies container. Upon doing so, take a look at the Details pane to see if any network policies currently exist. On my test system, there are two default network policies, both of which are enabled by default. One policy is the Connections to Microsoft Routing and Remote Access Server policy, and the other is the Connections to Other Access Servers policy. I recommend disabling these policies by right clicking on them, and choosing the Disable command from the resulting shortcut menu.

Now that you have cleared out the previously existing policies, you can create a new network policy. To do so, right click on the Network Policy container and select the New command from the resulting shortcut menu. When you do, Windows will launch the New Network Policy Wizard.

The first thing that you will have to do is to assign a name to the policy. Let’s call this policy Compliant-Full-Access. You can enter the policy’s name into the Policy Name field, found on the wizard’s initial screen. Leave the Type of Network Access Server drop down list set to Unspecified, as shown in Figure A, and click Next.


Figure A: Assign a name to the new policy and click Next

The next screen that you will encounter asks you to specify the conditions that are to be used by the new network policy. You can click the Add button to open the Specify Conditions dialog box. Scroll through the dialog box’s various options until you locate the Health Policies option. Select the Health Policies option, and click the Add button. When you do, you will be prompted to select the health policy that you want to enforce. Choose the Compliant option from the drop down list, as shown in Figure B.


Figure B: Choose the Compliant option from the list of health policies

Click OK to close the Select Conditions dialog box, and then click Next. When you do, Windows will display the wizard’s Specify Access Permission screen. Choose the Grant Access option, and click Next. Setting the access permission to Grant Access does not grant users full access to the network. All it means is that requests coming into this policy are approved for further processing.

At this point, you will see the wizard’s Configure Authentication Methods screen. This screen displays a series of check boxes, each corresponding to a different authentication method. Go ahead and accept the defaults, as shown in Figure C, and click Next.


Figure C: Accept the default authentication methods, and click Next

Click Next, and you will see the Configure Constraints screen. We don’t want to add any constraints to this policy, so just click Next.

You will now see the wizard’s Configure Settings screen. This screen allows you to specify the settings that should be applied if a computer is granted access. In some of the earlier builds of Windows Server 2008, you were required to disable NAP enforcement so that client computers could gain access to the network. In the RTM release though, the NAP Enforcement setting is configured by default to allow full access to the network. That being the case, we can just click Next.

You should now see a screen displaying a summary of the configuration options that you have chosen for the policy. Assuming that everything looks correct, click Finish to create the policy.

Non-Compliant Computers

So far we have created a policy for compliant computers, now we have to create a similar policy for computers that are not compliant. To do so, right click on the console tree’s Network Policies container and select the New command from the resulting shortcut menus. This will cause Windows to launch the now familiar New Network Policy wizard.

As was the case before, the first thing that you must do is to enter a name for the new policy that you are creating. Let’s call this policy Noncompliant-Restricted. Once again, set the Type of Network Access Server option to Unspecified, and click Next.

You will now be taken to the wizard’s Conditions screen. When we created the network policy for compliant computers, we created a condition which required the computer to comply with the compliant policy that we had created in a previous part of this article series. Since this policy is for non compliant computers though, you must check to see if the client computer’s configuration matches the conditions defined in the NonCompliant policy. Specifically, this means checking to make sure that the Windows firewall is not enabled.

To do so, click the Add button, and Windows will display the Select Conditions dialog box. Choose the Health Policies option from the list, and click the Add button. Now, choose the NonCompliant option from the list of health policies, and click OK, followed by Next.

Windows will now display the wizard’s Specify Access Permission screen. Even though we are creating a restricted policy, you must still set the policy type to Grant Access. Remember that this does not grant access to the network, but rather allows further processing of the policy.

Click Next, and you will be taken to the wizard’s Configure Authentication Methods screen. Once again, just accept the default settings, and click Next.

At this point, you will see the Configure Constraints screen. We don’t need to configure any constraints, so just click Next.

You will now be taken to the wizard’s Configure Settings screen. So far everything that we have done to the policy for non compliant computers has been identical to what we did to the policy for compliant computers aside from specifying a different policy. If we left this policy the way that it is, then non compliant computers could end up gaining network access. Since we don’t want for that to happen, we need to use NAP enforcement to prevent network access.

To do so, select the NAP Enforcement container found in the list of settings. When you do, the Details pane will display various enforcement options. Select the Allow Limited Access option, and then click the Enable Auto Remediation of Client Computers check box. Enforce option, and then select the Update Non Compliant Computers Automatically check box. Click Next, followed by Finish to create the new policy.

Conclusion

In this article, I have shown you how to create network policies for both compliant and for non compliant computers. In the next article in the series, we will conclude the server configuration.

If you would like to read other parts to the article series please read:

Featured Links