WIN2008 Network policy setting method to make access to a more secure _win server

So how do you avoid these workstations bringing a variety of potential security threats to the server system, which can have a very large impact on the server system? To do this, we are able to secure the server system by setting the network policy of the Windows Server 2008 system. Prevent dangerous workstations from bringing network viruses or Trojans into the server system!

Understanding Network Strategies

To effectively secure the network and server systems, Windows Server 2008 specifically adds to our new network policy server capabilities and many other security measures, The use of Network Policy features server system will force any attempt to connect to the normal workstation through specific network health checks, such as whether the normal workstation installed firewall program, whether the virus library content in a timely manner, whether the latest version of the system patch, etc. The server system allows the workstation to connect to the server and access its contents only after the normal workstation complies with a variety of security checks, while regular workstations that do not have security checks on the server system are quarantined to another restricted network, or the server's access is reduced. When quarantined in another restricted network, the normal workstation needs to repair the workstation's security status through the limited network in time, for example, quickly download the installation system patch from the patch server in the LAN, force the firewall program in the system to be enabled, and after the network security conditions are met, The workstation is often able to access any content in the server system normally.

To install a network policy server

Although the Windows Server 2008 system has built-in network policy server functionality, this feature is not enabled by default, so we can use the security capabilities of this feature to secure the server system by installing the feature component first.

When installing the network Policy component, we first go to the Windows Server 2008 system with System administrator privileges, open the Start menu of the system, select Programs/Administrative Tools/Server Manager commands, and open the Server Manager window for the corresponding system.

Displays the area on the left side of the Server Manager window. Select the role option, and in the display area to the right of the option, click the Add Role icon to open the Role Add Wizard Settings window; From the prompt in this setting window, we see that there are three aspects of preparation to be installed for the network policy component. The first is to ensure that the Administrator account has a strong password, the second is to ensure that the network settings have been configured, and the third is to install the latest security update in Windows Update;

After confirming that the above preparations have been completed, click the Next button to open the Server Roles List window as shown in Figure 1, where we see that the server system does not have the network policy and Access services feature selected by default, which means that the network Policy feature is not installed at this time; We can select the "Network Policy and access services" option here in time, then click Next, and when the Role Services List window shown in Figure 2 appears, select the Network Policy server option, continue clicking the Next button, and finally click the Install button, This way the server system automatically installs the selected roles, role services, and so on.

When the Network Policy component installation operation is complete, the system automatically prompts you to use this feature component to configure network Access protection for the server system, and at this point the DHCP service in the server system will automatically be replaced by the newly installed Network Policy server component. We must properly configure the relevant DHCP parameters involved in the Network policy server to play a good network security effect. By default, the Windows Server 2008 system does not enable the network Access Protection component associated with the Network policy server, which requires manual activation in the DHCP scope properties of the network policy server.

　　 setting up a network policy server

Once the Network Policy Server feature component is successfully installed, we can now go into the Network policy server to configure it properly so that it works in time to secure the server system.

Open the Network Policy Server Console window by first opening the Windows Server 2008 system's Start menu, selecting Programs/Administrative Tools/Network Policy server options, as shown in Figure 3;

Displays the area to the left of the console window. We found that the Network policy server contains four aspects, namely, connection request policies, network policies, health policies, and network access Protection components, which will isolate, secure, and network the common workstation systems that access the unit server system. Health policy audit and network Access protection;

Using the connection request policy, we can specify whether to process the connection request locally or forward it to a remote RADIUS server;

Choosing a health policy we can customize the health standard for a common workstation, which is often used in conjunction with network Access Protection components. Generally speaking, we usually need to create two basic policies in the server system, one of which is the policy of the security workstation and the other is the policy of the insecure workstation. When creating a policy for a secure workstation, we can display the area on the left side of the Network Policy Server Console window. Expand the Policy/Health policy option, then right-click the Health policy option, select New from the pop-up shortcut menu, and open the Settings dialog shown in Figure 4. In this Settings dialog box, the policy name is secured workstation, the client SHV check is set to the client has passed all SHV checks, and then the secure workstation policy is created successfully by clicking the OK button. Again, we can create an "unsafe workstation" policy and set the policy's client SHV check to "clients fail all SHV checks."

So which workstations are safe and which workstations are unsafe? This needs to be evaluated using the system health validator below the network Access Protection component! The System Health Validator will force you to check some of the settings for the normal workstation and compare these settings against the relevant security policies that have been set up beforehand. To assess whether a common workstation is a safe or unsafe area. Let's say we assume that if the system doesn't have firewalls and antivirus software installed, then assume that the workstation system is unsafe; When configuring this security policy, we can expand the network Access Protection/System Health verifier option in the left display area of the Network Policy Server Console window, in turn. In the right display area for the option that you want, right-click the Windows Security Health Verifier option, perform the Properties command from the pop-up shortcut menu, click the Configure button in the Property Settings window that appears, and then open the configuration interface shown in Figure 5, where you must select the The firewall option and antivirus application enabled option are enabled for all network connections, and finally click OK to end the Windows security and Health authentication configuration operation, so that as soon as the normal workstation is installed with firewall and antivirus software, Windows Server The 2008 system considers the workstation to be a secure workstation.

When the Windows Server 2008 system detects that a normal workstation belongs to an unsafe station, the Network Policy server also provides remediation to allow insecure workstations to automatically access the patch update server or virus Library update server in the local area network. To install the system patches and update the virus library program to the normal workstation in time. In order for unsafe workstations to automatically install patches or update virus libraries automatically, we need to use an Update server group to define which systems are accessible to unsafe stations so that the workstation's unsafe state can be automatically restored to security from these systems. When you specify a server system that an unsecured station can access, we can expand the network Access Protection/Update Server group option in the left display area of the Network Policy Server Console window, then right-click the Update Server group option and execute the new command from the pop-up shortcut menu. Open the Create dialog box shown in Figure 6, click the Add button in the dialog box, and then enter the host name or IP address of the system Patch update server or virus library update server correctly in the interface, so that when the normal workstation is detected as unsafe, It will automatically connect to the system Patch update server or virus Library update server to install the system patch or update the virus library. When a regular workstation has a patch installed or the virus library is updated, the system considers it a secure workstation when it accesses the Windows Server 2008 system, which allows the workstation to be connected to the server system, so that we can maximize the security of the server system.

Of course, what needs to be reminded here is that the above system health validator, health policy, connection request policy, Update server group and so on need network strategy combination to play an effective role; we can determine how to handle the workstation based on the normal workstation security status, for example, When a common workstation is found to be consistent with an insecure workstation policy, then we can define a network policy to instruct the DHCP server in the LAN to provide an IP lease for the target normal workstation with a restricted scope option, ensuring that the workstation address can access only the systems defined in the specified Update server group.