Among the features of Windows Server 2008, Network Access Protection (network access PROTECTION,NAP), which can be used to help enterprises strengthen personal computer security management, is undoubtedly one of the most desired projects, Especially the network information security two areas.
Simply put, in order to prevent computers that do not conform to enterprise security policy, nap can be restricted by approving connections or not, and these noncompliant policies include not starting automatic updates, periodically patching system vulnerabilities, not installing antivirus software or enabling personal firewalls, antivirus software signatures/ The anti-drug engine exceeded the deadline and was not updated.
Integrated strategic control and identity certification, authorization
To start nap, you must start by adding a new server role from Server Manager with the name Network Policy and Access Services (NPAS). After you complete a series of installation steps, the System tools in the start Assembly will add a shortcut--network Policy Server (NPS).
When you perform the console of network Policy server, three standard options are immediately available, allowing you to quickly apply settings. Pressing configure NAP will start the installation assistant to assist the Administrator in completing the setup step-by-step.
In fact, the predecessor of NPS is the Internet Authentication Service (Internet Authentication Services,ias) on Windows Server 2003, with a centralized RADIUS authentication, authorization, and recording mechanism that continues to cover wired, Wireless and VPN networks, rather than creating a new server execution environment. Therefore, it can also transfer authentication and statistic messages to other RADIUS servers as a Raduis proxy server.
In summary, NAP is a feature name, but for Windows Server 2008, this functionality is provided primarily on the server role mentioned above.
Include Policy server and force check server
When we first install NPAS, we can see that it includes NPS, Remote Access Service (RAS), Routing (Routing), Health Registration Authority (HRA).
HRA is quite special, the main use of the architecture that is enforced in NAP IPSec policy is that, in the context of an IPSec-protected local domain network, when a personal computer is judged to be in compliance with the network security policy, a certificate of health is obtained, provided that the other personal computers that coexist with the same network are connected to it, The voucher will also be validated synchronously, and if the policy follows a check that fails to obtain health credentials, the endpoint authentication of IPSec will fail and the computer will not be able to communicate with other computers.
NPS can also be subdivided into four major components:
Radius Clients and Servers: refers to other radius personal-end appliances that the server refers to other NPS servers, when the enterprise user sets the NPS server as a RADIUS proxy server, Authentication and authorized connection requirements can be forwarded to other RADIUS servers, and if the company's network environment uses a multiple-domain or multiple-tree system, it can be guided through this mechanism.
Policy: Three types of policy settings, such as connectivity requirements, network and health status. The policy for connection requirements is used to handle the condition of connecting to a remote NPS server or other RADIUS server, and to have NPS become a gateway appliance to verify that RADIUS protocol authentication is followed, such as 802.1X wireless APs and authentication switches, performing Routing and Remote Access services (RRAS) To become a VPN or dial-up network server, as well as a Terminal Services gateway. The local domain and trust domain are preset policies.
Network policies can be divided into more than 6 forms including unspecified, remote access servers, Ethernet networks, Terminal Services gateways, wireless APs, HRA, HCAP servers, and DHCP servers.
As for the state of health strategy, in general, can be set to "through the full check" or "one of the failed", you can also choose the other 5 options, such as total failure, partial pass, determined as infected malicious program, cannot determine, can find the corresponding situation to apply the strategy.
Network Access Protection: Only checks the health status of the managed computer (System Health VALIDATOR,SHV) and Remediation Server (remediation server) settings. The so-called remediation servers, including DNS servers, domain control stations, file servers for anti-virus signatures, software update servers, and so on, so that those who can not pass the health check of the computer has the opportunity to amend. If any further work is to be done after the verification is completed, it must be formulated strategically.
In SHV, you can define the health status of Windows XP and Vista, such as whether Windows Firewall is enabled, Automatic Updates, whether antivirus software is installed, Anti-spyware software (Windows XP SHV does not support this check), and whether the signatures are up to date. And can be set up within a few hours to complete the security update. If the enterprise has previously set up Microsoft to provide Windows Server update Services (WSUS) update server, you can also configure here to obtain updated information and files.
With regard to anti-virus software support, Microsoft claims to be able to identify its own Forefront Client secuirty, as well as Symantec, Trends, McAfee and other brand anti-virus software signatures, as the Anti-spyware program currently only supports Windows Defender.
Accounting: Responsible for generating record files that can be stored as IAS.log, or log files that SQL Server can read and write to. If the enterprise itself is more closely audited, such as the financial industry, this information can be transferred to SQL Server.
NPS is responsible for policy and evaluation jobs
How does NPS actually authenticate each of the controlled terminals? The user will turn on the computer on the Internet and intend to access the network, so network devices and network policy servers require users to show proof of health, such as the system's Automatic update status, firewall, antivirus software enabled, and so on, if a personal computer in the system The state of the system declared by the Health Agent (SHA) passes through SHV checks and NAP policies, which are passed back to the policy server by the certificate and the connection fine items.
After evaluating the connection detail, the Network policy server passes the user's authorization certificate to Active Directory for authorization, allowing access to the network if the policy is met and authorized by the user, and then approving the user or appliance access.
Of particular note is that NPS is only responsible for evaluating the policy settings it holds, and does not deal with authorized actions. All network access authorization and account management, need to match the network domain control station.