Step By Step Guide: Demonstrate DHCP NAP Enforcement in a Test Lab

Microsoft Corporation Published: February 2008

Abstract
Network Access Protection (NAP is a new policy enforce!ent technolo"y in the #indows $ista% and #indows &er'er% 2008 and #indows (P with &er'ice Pack ) operatin" syste!s* (NAP can also be deployed on co!puters runnin" #indows &er'er 2008 +2, #indows -, #indows &er'er 20.2, and #indows 8 * NAP pro'ides co!ponents and an application pro"ra!!in" interface (AP/ set that help ad!inistrators enforce co!pliance with health re0uire!ents for network access and co!!unication* 1his paper contains an introduction to NAP and instructions for settin" up a test lab to deploy NAP with the 23CP enforce!ent !ethod*

Copyrig t !nformation
1his docu!ent is pro'ided for infor!ational purposes only and Microsoft !akes no warranties, either e4press or i!plied, in this docu!ent* /nfor!ation in this docu!ent, includin" 5+6 and other /nternet #eb site references, is sub7ect to chan"e without notice* 1he entire risk of the use or the results fro! the use of this docu!ent re!ains with the user* 5nless otherwise noted, the e4a!ple co!panies, or"ani8ations, products, do!ain na!es, e9!ail addresses, lo"os, people, places, and e'ents depicted herein are fictitious, and no association with any real co!pany, or"ani8ation, product, do!ain na!e, e9!ail address, lo"o, person, place, or e'ent is intended or should be inferred* Co!plyin" with all applicable copyri"ht laws is the responsibility of the user* #ithout li!itin" the ri"hts under copyri"ht, no part of this docu!ent !ay be reproduced, stored in or introduced into a retrie'al syste!, or trans!itted in any for! or by any !eans (electronic, !echanical, photocopyin", recordin", or otherwise , or for any purpose, without the e4press written per!ission of Microsoft Corporation* Microsoft !ay ha'e patents, patent applications, trade!arks, copyri"hts, or other intellectual property ri"hts co'erin" sub7ect !atter in this docu!ent* :4cept as e4pressly pro'ided in any written license a"ree!ent fro! Microsoft, the furnishin" of this docu!ent does not "i'e you any license to these patents, trade!arks, copyri"hts, or other intellectual property* ; 2008 Microsoft Corporation* All ri"hts reser'ed* Microsoft, M&92<&, #indows, #indows N1, and #indows &er'er are either re"istered trade!arks or trade!arks of Microsoft Corporation in the 5nited &tates and=or other countries* All other trade!arks are property of their respecti'e owners*

Contents
&tep >y &tep ?uide: 2e!onstrate 23CP NAP :nforce!ent in a 1est 6ab************************************. Abstract************************************************************************************************************************************ . Copyri"ht /nfor!ation********************************************************************************************************************** 2 Contents****************************************************************************************************************************************** ) &tep9by9&tep ?uide: 2e!onstrate 23CP NAP :nforce!ent in a 1est 6ab************************************@ /n this "uide********************************************************************************************************************************* @ &cenario o'er'iew*********************************************************************************************************************** A NAP enforce!ent processes**************************************************************************************************** A Policy 'alidation******************************************************************************************************************** A NAP enforce!ent and network restriction*****************************************************************************A +e!ediation************************************************************************************************************************** <n"oin" !onitorin" to ensure co!pliance****************************************************************************23CP NAP enforce!ent o'er'iew********************************************************************************************** 3ardware and software re0uire!ents****************************************************************************************** 8 &teps for confi"urin" the test lab************************************************************************************************* 8 Confi"ure 2C.***************************************************************************************************************************** B /nstall the operatin" syste! on 2C.***************************************************************************************** B Confi"ure 1CP=/P on 2C.****************************************************************************************************** .0 Confi"ure 2C. as a do!ain controller and 2N& ser'er*********************************************************.0 Create a user account in Acti'e 2irectory*******************************************************************************.. Add user. to the 2o!ain Ad!ins "roup*********************************************************************************.. Create a security "roup for NAP client co!puters******************************************************************.. Confi"ure NP&.************************************************************************************************************************* .2 /nstall #indows &er'er 2008 or #indows &er'er 2008 +2****************************************************.2 Confi"ure 1CP=/P properties on NP&.***********************************************************************************.2 Coin NP&. to the contoso*co! do!ain**********************************************************************************.) 5ser Account Control************************************************************************************************************* .) /nstall the NP& and 23CP ser'er roles**********************************************************************************.D /nstall the ?roup Policy Mana"e!ent feature*************************************************************************.D Confi"ure NP& as a NAP health policy ser'er************************************************************************.@ Confi"ure NAP with a wi8ard**********************************************************************************************.A Confi"ure &3$s****************************************************************************************************************** .8 Confi"ure 23CP on NP&.***************************************************************************************************** .B <pen the 23CP console***************************************************************************************************** .B :nable NAP settin"s for the scope*************************************************************************************.B Confi"ure the default user class****************************************************************************************** .B Confi"ure the default NAP class***************************************************************************************** 20

Confi"ure NAP client settin"s in ?roup Policy************************************************************************20 Confi"ure security filters for the NAP client settin"s ?P<***************************************************2. Confi"ure C6/:N1.******************************************************************************************************************* 22 /nstall #indows $ista on C6/:N1.***************************************************************************************** 22 Confi"ure 1CP=/P on C6/:N1.***********************************************************************************************22 1est network connecti'ity for C6/:N1.***********************************************************************************2) Confi"ure 2C. as a re!ediation ser'er*********************************************************************************2) +enew /P addressin" on C6/:N1.*****************************************************************************************2D Coin C6/:N1. to the Contoso*co! do!ain****************************************************************************2@ Add C6/:N1. to the NAP client co!puters security "roup*****************************************************2@ :nable +un on the &tart !enu***********************************************************************************************2A $erify ?roup Policy settin"s*************************************************************************************************** 2A $erifyin" NAP functionality********************************************************************************************************* 2A $erification of NAP auto9re!ediation**************************************************************************************2A $erification of health policy enforce!ent********************************************************************************28 Confi"ure #&3$ to re0uire an anti'irus application***********************************************************28 +elease and renew the /P address on C6/:N1.****************************************************************2B $iew the client restriction state********************************************************************************************2B Allow C6/:N1. to beco!e co!pliant**********************************************************************************)0 &ee Also************************************************************************************************************************************ ). Appendi4*************************************************************************************************************************************** ). &et 5AC beha'ior of the ele'ation pro!pt for ad!inistrators****************************************************). +e'iew NAP client e'ents********************************************************************************************************** ). +e'iew NAP ser'er e'ents******************************************************************************************************** )2

!mportant

Step"by"Step Guide: Demonstrate DHCP NAP Enforcement in a Test Lab

Network Access Protection (NAP is a new technolo"y introduced in #indows $ista% and #indows &er'er% 2008* (NAP can also be deployed on co!puters runnin" #indows &er'er 2008 +2 and #indows - * NAP includes client and ser'er co!ponents that allow you to create and enforce health re0uire!ent policies that define the re0uired software and syste! confi"urations for co!puters that connect to your network* NAP enforces health re0uire!ents by inspectin" and assessin" the health of client co!puters, li!itin" network access when client co!puters are dee!ed nonco!pliant, and re!ediatin" nonco!pliant client co!puters for unrestricted network access* NAP enforces health re0uire!ents on client co!puters that are atte!ptin" to connect to a network* NAP also pro'ides on"oin" health co!pliance enforce!ent while a co!pliant client co!puter is connected to a network* /n addition, NAP pro'ides an application pro"ra!!in" interface (AP/ set that allows non9 Microsoft software 'endors to inte"rate their solutions into the NAP fra!ework* NAP enforce!ent occurs at the !o!ent when client co!puters atte!pt to access the network throu"h network access ser'ers, such as a $PN ser'er runnin" +outin" and +e!ote Access, or when clients atte!pt to co!!unicate with other network resources* 1he way that NAP is enforced depends on the enforce!ent !ethod you choose* NAP enforces health re0uire!ents for the followin": /nternet Protocol security (/Psec 9protected co!!unications /nstitute of :lectrical and :lectronics :n"ineers (/::: 802*.(9authenticated connections $irtual pri'ate network ($PN connections 2yna!ic 3ost Confi"uration Protocol (23CP confi"uration 1er!inal &er'ices ?ateway (1& ?ateway

1he step9by9step instructions in this paper will show you how to deploy a NAP 23CP enforce!ent test lab so that you can better understand how 23CP enforce!ent works*

!n t is guide
1his paper contains an introduction to NAP and instructions for settin" up a test lab and deployin" NAP with the 23CP enforce!ent !ethod usin" two ser'er co!puters and one client co!puter* 1he test lab lets you create and enforce client health re0uire!ents usin" NAP and 23CP* 1he followin" instructions are for confi"urin" a test lab usin" the !ini!u! nu!ber of co!puters* /ndi'idual co!puters are needed to separate the ser'ices pro'ided on the network and to clearly show the desired functionality* 1his confi"uration is neither desi"ned to reflect best practices nor does it reflect a desired or reco!!ended confi"uration for a production network* 1he confi"uration, includin" /P addresses and all other confi"uration para!eters, is desi"ned only to work on a separate test lab network*
5

Scenario o#er#ie$
/n this test lab, NAP enforce!ent for 23CP network access control is deployed with a ser'er runnin" #indows &er'er 2008 or #indows &er'er 2008 +2 that has 23CP and the Network Policy &er'er (NP& ser'ice installed, and a client co!puter runnin" #indows $ista or #indows with the NAP a"ent ser'ice runnin" and 23CP enforce!ent client co!ponent enabled* A co!puter runnin" #indows &er'er% 200) is also used in the test lab as a do!ain controller and 2N& ser'er* 1he test lab will de!onstrate how NAP9capable client co!puters are pro'ided network access based on their co!pliance with network health re0uire!ents*

NAP enforcement processes

&e'eral processes are re0uired for NAP to function properly: policy 'alidation, NAP enforce!ent and network restriction, re!ediation, and on"oin" !onitorin" to ensure co!pliance*

Po%icy #a%idation
&yste! health 'alidators (&3$s are used by NP& to analy8e the health status of client co!puters* &3$s are incorporated into network polices that deter!ine actions to be taken based on client health status, such as the "rantin" of full network access or the restrictin" of network access* 3ealth status is !onitored by client9side NAP co!ponents called syste! health a"ents (&3As * NAP uses &3As and &3$s to !onitor, enforce, and re!ediate client co!puter confi"urations* #indows &ecurity 3ealth A"ent (#&3A and #indows &ecurity 3ealth $alidator (#&3$ are included with the #indows $ista, #indows &er'er 2008, #indows -, and #indows &er'er 2008 +2 operatin" syste!s, and enforce the followin" settin"s for NAP9capable co!puters: 1he client co!puter has firewall software installed and enabled* 1he client co!puter has anti'irus software installed and runnin"* 1he client co!puter has current anti'irus updates installed* 1he client co!puter has antispyware software installed and runnin"* 1he client co!puter has current antispyware updates installed* Microsoft 5pdate &er'ices is enabled on the client co!puter*

/n addition, if NAP9capable client co!puters are runnin" #indows 5pdate A"ent, NAP can 'erify that the !ost recent software security updates are installed based on one of four possible 'alues that !atch security se'erity ratin"s fro! the Microsoft &ecurity +esponse Center (M&+C * 1his test lab will use the #&3A and #&3$ to re0uire that client co!puters ha'e turned on #indows Firewall, and ha'e an anti'irus application installed*

NAP enforcement and net$or& restriction

NAP enforce!ent settin"s allow you to li!it network access of nonco!pliant clients to a restricted network, to defer restriction to a later date, or to !erely obser'e and lo" the health status of NAP9 capable client co!puters* 1he followin" settin"s are a'ailable:
6

 A%%o$ fu%% net$or& access* 1his is the default settin"* Clients that !atch the policy conditions are dee!ed co!pliant with network health re0uire!ents, and are "ranted unrestricted access to the network if the connection re0uest is authenticated and authori8ed* 1he health co!pliance status of NAP9capable client co!puters is lo""ed* A%%o$ %imited access* Client co!puters that !atch the policy conditions are dee!ed nonco!pliant with network health re0uire!ents, and are placed on the restricted network* A%%o$ fu%% net$or& access for a %imited time* Clients that !atch the policy conditions are te!porarily "ranted full network access* NAP enforce!ent is delayed until the specified date and ti!e* Eou will create two network policies in this test lab* A co!pliant policy will "rant full network access to an intranet network se"!ent* A nonco!pliant policy will de!onstrate network restriction by issuin" a 1CP=/P confi"uration to the client co!puter that places it on a restricted network*

'emediation
Nonco!pliant client co!puters that are placed on a restricted network !i"ht under"o re!ediation* +e!ediation is the process of updatin" a client co!puter so that it !eets current health re0uire!ents* /f additional resources are re0uired for a nonco!pliant co!puter to update its health state, these resources !ust be pro'ided on the restricted network* For e4a!ple, a restricted network !i"ht contain a File 1ransfer Protocol (F1P ser'er that pro'ides current 'irus si"natures so that nonco!pliant client co!puters can update their outdated si"natures* Eou can use NAP settin"s in NP& network policies to confi"ure auto!atic re!ediation so that NAP client co!ponents auto!atically atte!pt to update the client co!puter when it is nonco!pliant* 1his test lab includes a de!onstration of auto!atic re!ediation* 1he Enab%e auto"remediation of c%ient computers settin" will be enabled in the nonco!pliant network policy, which will cause #indows Firewall to be turned on without user inter'ention*

(ngoing monitoring to ensure comp%iance

NAP can enforce health co!pliance on co!pliant client co!puters that are already connected to the network* 1his functionality is useful for ensurin" that a network is protected on an on"oin" basis as health policies and the health of client co!puters chan"e* Client co!puters are !onitored when their health state chan"es, and when they initiate re0uests for network resources* 1his test lab includes a de!onstration of on"oin" !onitorin" when the clientFs 23CP9 issued address is renewed* 1he NAP client co!puter sends a state!ent of health (&o3 with the 23CP address re0uest, and is "ranted full or restricted access based on its current health state*

DHCP NAP enforcement o#er#ie$

1he test en'iron!ent described in this "uide includes a do!ain controller runnin" #indows &er'er 200), a !e!ber ser'er runnin" #indows &er'er 2008 or #indows &er'er 2008 +2, and a client co!puter runnin" #indows $ista or #indows -* 1he do!ain controller, !e!ber ser'er, and the client co!puter co!pose a pri'ate intranet and are connected throu"h a co!!on hub or layer 2 switch* Pri'ate addresses are used throu"hout the test lab confi"uration* 1he pri'ate
7

Note network /2 .B2*.A8*0*0=2D is used for the intranet* 1he do!ain controller is na!ed 2C. and is the pri!ary do!ain controller for the do!ain na!ed Contoso*co!* 1he !e!ber ser'er is na!ed NP&. and is confi"ured as a 23CP ser'er and a network policy ser'er* 1he client is na!ed C6/:N1. and is confi"ured for auto!atic addressin" throu"h 23CP* 1he followin" fi"ure shows the confi"uration of the test en'iron!ent*

Hard$are and soft$are re)uirements

1he followin" are re0uired co!ponents of the test lab: 1he product disc for #indows &er'er 2008 or #indows &er'er 2008 +2* 1he product disc for #indows $ista >usiness, #indows $ista :nterprise, or #indows $ista 5lti!ate* Eou can also use the product discs for #indows - 3o!e Pre!iu!, #indows - Professional, or #indows - 5lti!ate* 1he product disc for #indows &er'er 200) with &er'ice Pack 2 (&P2 * <ne co!puter that !eets the !ini!u! hardware re0uire!ents for #indows &er'er 200) with &P2* 1his lab de!onstrates NAP support for the Acti'e 2irectory% directory ser'ice in #indows &er'er 200)* Eou can also !ake the do!ain controller in this lab run #indows &er'er 2008 or #indows &er'er 2008 +2** <ne co!puter that !eets the !ini!u! hardware re0uire!ents for #indows &er'er 2008 or #indows &er'er 2008 +2* <ne co!puter that !eets the !ini!u! hardware re0uire!ents for #indows $ista or #indows -* An :thernet hub or layer 2 switch*

Steps for configuring t e test %ab

1here are three o'erall sta"es re0uired to set up this test lab, one sta"e for each co!puter* .* Confi"ure 2C.*

Note

To insta%% t e operating system on DC*

2C. is a ser'er co!puter runnin" the #indows &er'er 200) &tandard :dition operatin" syste!* 2C. is confi"ured as a do!ain controller with Acti'e 2irectory and the pri!ary 2N& ser'er for the intranet subnet* 2* Confi"ure NP&.* NP&. is a ser'er co!puter runnin" #indows &er'er 2008 or #indows &er'er 2008 +2* NP&. is confi"ured with the Network Policy &er'er (NP& ser'ice, which functions as a NAP health policy ser'er and a +e!ote Authentication 2ial9in 5ser &er'ice (+A2/5& ser'er* NP&. will also be confi"ured with the 23CP ser'ice and function as a NAP enforce!ent ser'er* )* Confi"ure C6/:N1.* C6/:N1. is a client co!puter runnin" #indows $ista or #indows -* C6/:N1. will be confi"ured as a 23CP client and a NAP client* Eou !ust be lo""ed on as a !e!ber of the 2o!ain Ad!ins "roup or a !e!ber of the Ad!inistrators "roup on each co!puter to co!plete the tasks described in this "uide* /f you cannot co!plete a task while you are lo""ed on with an account that is a !e!ber of the Ad!inistrators "roup, try perfor!in" the task while you are lo""ed on with an account that is a !e!ber of the 2o!ain Ad!ins "roup* After the NAP co!ponents are confi"ured, this "uide will pro'ide steps for a de!onstration of NAP enforce!ent and auto9re!ediation* 1he followin" sections pro'ide details about how to perfor! these tasks*

Configure DC*
2C. is a co!puter runnin" #indows &er'er 200) &tandard :dition with &P2, which pro'ides the followin" ser'ices: A do!ain controller for the Contoso*co! Acti'e 2irectory do!ain* A 2N& ser'er for the Contoso*co! 2N& do!ain* /nstall the operatin" syste!* Confi"ure 1CP=/P* /nstall Acti'e 2irectory and 2N&* Create a user account and "roup in Acti'e 2irectory* Create a NAP client co!puter security "roup*

2C. confi"uration consists of the followin" steps:

1he followin" sections e4plain these steps in detail*

!nsta%% t e operating system on DC*

/nstall #indows &er'er 200) &tandard :dition with &P2 as a stand9alone ser'er* .* &tart your co!puter usin" the #indows &er'er 200) product disc*
9

To configure TCP+!P on DC*

To configure DC* as a domain contro%%er and DNS ser#er

2* #hen pro!pted for a co!puter na!e, type DC**

Configure TCP+!P on DC*

Confi"ure the 1CP=/P protocol with a static /P address of .B2*.A8*0*. and the subnet !ask of 2@@*2@@*2@@*0* .* Click Start, click 'un, and then type ncpa,cp%* 2* +i"ht9click Loca% Area Connection, and then click Properties* )* Click !nternet Protoco% -TCP+!P., and then click Properties* D* &elect /se t e fo%%o$ing !P address* 1ype *01,*23,4,* ne4t to !P address and 155,155,155,4 ne4t to Subnet mas&* @* $erify that Preferred DNS ser#er is blank* A* Click (6, click C%ose, and then close the Net$or& Connections window*

Configure DC* as a domain contro%%er and DNS ser#er

2C. will ser'e as the only do!ain controller and 2N& ser'er for the Contoso*co! do!ain* .* 1o start the Acti'e 2irectory /nstallation #i8ard, click Start, click 'un, type dcpromo, and then press :N1:+* 2* /n the Acti#e Directory !nsta%%ation 7i8ard dialo" bo4, click Ne9t* )* <peratin" syste! co!patibility infor!ation is displayed* Click Ne9t a"ain* D* $erify that Domain contro%%er for a ne$ domain is selected, and then click Ne9t* @* $erify that Domain in a ne$ forest is selected, and then click Ne9t twice* A* <n the !nsta%% or Configure DNS pa"e, select No: ;ust insta%% and configure DNS on t is computer, and then click Ne9t* -* 1ype Contoso,com ne4t to <u%% DNS name for ne$ domain, and then click Ne9t* 8* Confir! that the Domain NetB!(S name shown is C(NT(S(, and then click Ne9t* B* Accept the default Database <o%der and Log <o%der directories, and then click Ne9t* .0* Accept the default folder location for S ared System =o%ume, and then click Ne9t* ..* $erify that Permissions compatib%e on%y $it 7indo$s 1444 or 7indo$s Ser#er 144> operating systems is selected, and then click Ne9t* .2* 6ea'e the 'estore ?ode Pass$ord and Confirm Pass$ord te4t bo4es blank, and then click Ne9t* .)* +e'iew the su!!ary infor!ation pro'ided, and then click Ne9t* .D* #ait while the wi8ard co!pletes confi"uration of Acti'e 2irectory and 2N& ser'ices, and then click <inis * .@* #hen pro!pted to restart the co!puter, click 'estart No$*
10

To create a user account in Acti#e Directory

To add a user to t e Domain Admins group

.A* After the co!puter is restarted, lo" in to the C<N1<&< do!ain usin" the Ad!inistrator account*

Create a user account in Acti#e Directory

Ne4t, create a user account in Acti'e 2irectory* 1his account will be used when lo""in" in to NP&. and C6/:N1.* .* Click Start, point to Administrati#e Too%s, and then click Acti#e Directory /sers and Computers* 2* /n the console tree, double9click Contoso,com, ri"ht9click /sers, point to Ne$, and then click /ser* )* /n the Ne$ (b;ect " /ser dialo" bo4, ne4t to <u%% name, type /ser* /ser, and in /ser %ogon name, type /ser** D* Click Ne9t* @* /n Pass$ord, type the password that you want to use for this account, and in Confirm pass$ord, type the password a"ain* A* Clear the /ser must c ange pass$ord at ne9t %ogon check bo4, and select the Pass$ord ne#er e9pires check bo4* -* Click Ne9t, and then click <inis * 8* 6ea'e the Acti'e 2irectory 5sers and Co!puters console open for the followin" procedure*

Add user* to t e Domain Admins group

Ne4t, add the newly created user to the 2o!ain Ad!ins "roup so this user can be used for all confi"uration acti'ities* .* /n the Acti'e 2irectory 5sers and Co!puters console tree, click /sers* 2* /n the details pane, double9click Domain Admins* )* /n the Domain Admins Properties dialo" bo4, click the ?embers tab, and then click Add* D* 5nder Enter t e ob;ect names to se%ect -e9amp%es. , type /ser*, the user na!e that you created in the precedin" procedure, and then click (6 twice* @* 6ea'e the Acti'e 2irectory 5sers and Co!puters console open for the followin" procedure*

Create a security group for NAP c%ient computers

Ne4t, create a security "roup for use with ?roup Policy security filterin"* 1his security "roup will be used to apply NAP client co!puter settin"s to only the co!puters you specify* C6/:N1. will be added to this security "roup after it is 7oined to the do!ain*
11

To insta%% create 7indo$s a securitySer#er group 1443 for NAP or 7indo$s c%ient computers Ser#er 1443 '1

To configure TCP+!P properties on NPS*

.* /n the Acti'e 2irectory 5sers and Co!puters console tree, ri"ht9click contoso,com, point to Ne$, and then click Group* 2* /n the Ne$ (b;ect " Group dialo" bo4, under Group name, type NAP c%ient computers* )* 5nder Group scope, choose G%oba%, under Group type, choose Security, and then click (6* D* Close the Acti'e 2irectory 5sers and Co!puters console*

Configure NPS*
For the test lab, NP&. will be runnin" #indows &er'er 2008 or #indows &er'er 2008 +2, and will host the NP& ser'ice, which pro'ides +A2/5& authentication, authori8ation, and accountin"* NP&. confi"uration consists of the followin" steps: /nstall the operatin" syste!* Confi"ure 1CP=/P* Coin the co!puter to the do!ain* /nstall the NP& and 23CP ser'er roles* /nstall the ?roup Policy Mana"e!ent feature* Confi"ure NP& as a NAP health policy ser'er* Confi"ure 23CP* Confi"ure NAP client settin"s in ?roup Policy*

!nsta%% 7indo$s Ser#er 1443 or 7indo$s Ser#er 1443 '1

.* &tart your co!puter by usin" the #indows &er'er 2008 or #indows &er'er 2008 +2 product C2* 2* #hen pro!pted for the installation type, choose Custom* )* Follow the instructions that appear on your screen to finish the installation*

Configure TCP+!P properties on NPS*

.* Click Ser#er ?anager* 2* 5nder Ser#er Summary, click =ie$ Net$or& Connections* )* /n the Net$or& Connections dialo" bo4, ri"ht9click Loca% Area Connection, and then click Properties* D* /n the Loca% Area Connection Properties dialo" bo4, clear the !nternet Protoco% =ersion 2 -TCP+!P#2. check bo4* 1his step will reduce the co!ple4ity of the lab, particularly for those who are not fa!iliar with /P'A* @* /n the Loca% Area Connection Properties dialo" bo4, click !nternet Protoco%
12

To ;oin NPS* to t e contoso,com domain =ersion @ -TCP+!P#@., and then click Properties* A* &elect /se t e fo%%o$ing !P address* /n !P address, type *01,*23,4,1* /n Subnet mas&, type 155,155,155,4* -* &elect /se t e fo%%o$ing DNS ser#er addresses* /n Preferred DNS ser#er, type *01,*23,4,** 8* Click (6, and then click C%ose to close the Loca% Area Connection Properties dialo" bo4* B* Close the Net$or& Connections window* .0* 2o not close the Ser#er ?anager window* /t will be used in the ne4t procedure* ..* Ne4t, check network co!!unication between NP&. and 2C. by runnin" the ping co!!and fro! NP&.* .2* Click Start, click 'un, in (pen type cmd, and then press :N1:+* .)* /n the co!!and window, type ping DC** .D* $erify that the response reads G+eply fro! .B2*.A8*0*.*H .@* Close the co!!and window*

Aoin NPS* to t e contoso,com domain

.* /n &er'er Mana"er, under Ser#er Summary, click C ange System Properties* 2* /n the System Properties dialo" bo4, on the Computer Name tab, click C ange* )* /n the Computer Name+Domain C anges dialo" bo4, under Computer name, type NPS** D* /n the Computer Name+Domain C anges dialo" bo4, under ?ember of, choose Domain, and then under Domain, type Contoso,com* @* Click ?ore* 5nder Primary DNS suffi9 of t is computer, type Contoso,com, and then click (6 twice* A* #hen pro!pted for a user na!e and password, type /ser* and the password for the user account that you added to the 2o!ain Ad!ins "roup, and then click (6* -* #hen you see a dialo" bo4 that welco!es you to the Contoso*co! do!ain, click (6* 8* #hen you are pro!pted that you !ust restart the co!puter, click (6* B* <n the System Properties dialo" bo4, click C%ose* .0* #hen you are pro!pted to restart the co!puter, click 'estart No$* ..* After the co!puter has been restarted, click S$itc /ser, then click (t er /ser and lo" on to the C<N1<&< do!ain with the /ser* account you created*

/ser Account Contro%

#hen you confi"ure the #indows $ista, #indows &er'er 2008, #indows -, and #indows &er'er 2008 +2 operatin" syste!s, you are re0uired to click Continue in the /ser Account Contro% (5AC dialo" bo4 for so!e tasks* &e'eral of the confi"uration tasks to follow re0uire
13

To insta%% t e NPS and DHCP ser#er ro%es 5AC appro'al* #hen pro!pted, always click Continue to authori8e these chan"es* Alternati'ely, see the Appendi4 of this "uide for instructions about how to set 5AC beha'ior of the ele'ation pro!pt for ad!inistrators*

!nsta%% t e NPS and DHCP ser#er ro%es

Ne4t, install the NP& and 23CP ser'er roles on NP&.* .* Click Start, and then click Ser#er ?anager* 2* 5nder 'o%es Summary, click Add ro%es, and then click Ne9t* )* <n the Se%ect Ser#er 'o%es pa"e, select the DHCP Ser#er and Net$or& Po%icy and Access Ser#ices check bo4es, and then click Ne9t twice* D* <n the Se%ect 'o%e Ser#ices pa"e, select the Net$or& Po%icy Ser#er check bo4, and then click Ne9t twice* @* <n the Se%ect Net$or& Connection Bindings pa"e, 'erify that *01,*23,4,1 is selected, and then click Ne9t* A* <n the Specify !P#@ DNS Ser#er Settings pa"e, 'erify that contoso,com is listed under Parent domain* -* 1ype *01,*23,4,* under Preferred DNS ser#er !P address, and click =a%idate* $erify that the result returned is =a%id, and then click Ne9t* 8* <n the Specify 7!NS Ser#er Settings pa"e, accept the default settin" of 7!NS is not re)uired on t is net$or&, and then click Ne9t* B* <n the Add or Edit DHCP Scopes pa"e, click Add* .0* /n the Add Scope dialo" bo4, type NAP Scope ne4t to Scope Name* Ne4t to Starting !P Address, type *01,*23,4,>, ne4t to Ending !P Address, type *01,*23,4,*4, and ne4t to Subnet ?as&, type 155,155,155,4* ..* &elect the Acti#ate t is scope check bo4, click (6, and then click Ne9t* .2* <n the Configure DHCP#2 State%ess ?ode pa"e, select Disab%e DHCP#2 state%ess mode for t is ser#er, and then click Ne9t* .)* <n the Aut ori8e DHCP Ser#er pa"e, select /se current credentia%s* $erify that C(NT(S(Buser* is displayed ne4t to /sername, and then click Ne9t* .D* <n the Confirm !nsta%%ation Se%ections pa"e, click !nsta%%* .@* $erify the installation was successful, and then click C%ose* .A* 6ea'e &er'er Mana"er open for the followin" procedure*

!nsta%% t e Group Po%icy ?anagement feature

?roup Policy will be used to confi"ure NAP client settin"s in the test lab* 1o access these settin"s, the ?roup Policy Mana"e!ent feature !ust be installed on a co!puter runnin" #indows &er'er 2008*

14

To insta%% t e NPS ser#er ro%e .* /n &er'er Mana"er, under <eatures Summary, click Add <eatures* 2* &elect the Group Po%icy ?anagement check bo4, click Ne9t, and then click !nsta%%* )* $erify the installation was successful, and then click C%ose to close the Add <eatures 7i8ard dialo" bo4* D* Close &er'er Mana"er*

Configure NPS as a NAP ea%t po%icy ser#er

1o ser'e as a NAP health policy ser'er, NP&. !ust 'alidate the syste! health of clients a"ainst the confi"ured network health re0uire!ents* For this test lab, confi"uration of NP& as a NAP health policy ser'er is perfor!ed usin" the NAP confi"uration wi8ard* 1he NAP wi8ard helps you confi"ure each NAP co!ponent to work with the NAP enforce!ent !ethod you choose* 1hese co!ponents are displayed in the NP& console tree, and include: System Hea%t =a%idators* &yste! health 'alidators (&3$s define confi"uration re0uire!ents for co!puters that atte!pt to connect to your network* For the test lab, #&3$ will be confi"ured to re0uire only that #indows Firewall is enabled* Hea%t Po%icies* 3ealth policies define which &3$s are e'aluated, and how they are used in the 'alidation of the confi"uration of co!puters that atte!pt to connect to your network* >ased on the results of &3$ checks, health policies classify client health status* 1he two health policies in this test lab correspond to a co!pliant health state and a nonco!pliant health state* Net$or& Po%icies* Network policies use conditions, settin"s, and constraints to deter!ine who can connect to the network* 1here !ust be a network policy that will be applied to co!puters that are co!pliant with the health re0uire!ents, and a network policy that will be applied to co!puters that are nonco!pliant* For this test lab, co!pliant client co!puters will be allowed unrestricted network access* Clients deter!ined to be nonco!pliant with health re0uire!ents will ha'e their access restricted throu"h 23CP to specify a restricted subnet* Nonco!pliant clients will also be optionally updated to a co!pliant state and subse0uently "ranted unrestricted network access* Connection 'e)uest Po%icies* Connection re0uest policies are conditions and settin"s that 'alidate re0uests for network access and "o'ern where this 'alidation is perfor!ed* /n this test lab, a connection re0uest policy is used that re0uires 23CP as the network access ser'er for client authentication* 'AD!/S C%ients and Ser#ers* +A2/5& clients are network access ser'ers* /f you specify a +A2/5& client, then a correspondin" +A2/5& ser'er entry is re0uired on the +A2/5& client de'ice* +e!ote 23CP ser'ers are confi"ured as +A2/5& clients on NP&* A re!ote 23CP ser'er is not used in this test labI therefore, it will not be necessary to confi"ure +A2/5& clients and ser'ers* 'emediation Ser#er Groups* +e!ediation ser'er "roups allow you to specify ser'ers that are !ade a'ailable to nonco!pliant NAP clients so that they can re!ediate their health state and beco!e co!pliant with health re0uire!ents* /f these ser'ers are re0uired, they are auto!atically a'ailable to co!puters on the restricted access subnet when you add the! to

15

To configure NPS using t e NAP $i8ard re!ediation ser'er "roups* 1his test lab includes a de!onstration of the use of a re!ediation ser'er "roup to pro'ide do!ain ser'ices to a client with restricted network access*

Configure NAP $it a $i8ard

1he NAP confi"uration wi8ard helps you to set up NP& as a NAP health policy ser'er* 1he wi8ard pro'ides co!!only used settin"s for each NAP enforce!ent !ethod, and auto!atically creates custo!i8ed NAP policies for use with your network desi"n* Eou can access the NAP confi"uration wi8ard fro! the NP& console* .* Click Start, click 'un, type nps,msc, and then press :N1:+* 2* /n the Network Policy &er'er console tree, click NPS -Loca%.* )* /n the details pane, under Standard Configuration, click Configure NAP* 1he NAP confi"uration wi8ard will start* &ee the followin" e4a!ple*

16

D* <n the Se%ect Net$or& Connection ?et od for /se $it NAP pa"e, under Net$or& connection met od, select Dynamic Host Configuration Protoco% -DHCP., and then click Ne9t* @* <n the Specify NAP Enforcement Ser#ers 'unning DHCP pa"e, click Ne9t* >ecause this NAP health policy ser'er has 23CP installed locally, we do not need to add +A2/5& clients* A* <n the Specify DHCP Scopes pa"e, click Ne9t* 1he test lab will use only one 23CP scopeI therefore, no scope conditions are re0uired* -* <n the Configure /ser Groups and ?ac ine Groups pa"e, click Ne9t* Eou do not need to confi"ure "roups for this test lab* 8* <n the Specify a NAP 'emediation Ser#er Group and /'L , click Ne9t* +e!ediation ser'ers will be confi"ured later in this test lab* B* <n the Define NAP Hea%t Po%icy pa"e, 'erify that 7indo$s Security Hea%t
17

To configure SH=s in 7indo$s Ser#er 1443 =a%idator and Enab%e auto"remediation of c%ient computers check bo4es are selected, and then click Ne9t* .0* <n the Comp%eting NAP Enforcement Po%icy and 'AD!/S C%ient Configuration pa"e, click <inis * ..* 6ea'e the NP& console open for the followin" procedure*

Configure SH=s
&3$s define confi"uration re0uire!ents for co!puters that atte!pt to connect to your network* For the test lab, the #&3$ will be confi"ured to re0uire only that #indows Firewall is enabled* 5se one of the followin" procedures, dependin" on whether you are runnin" #indows &er'er 2008 or #indows &er'er 2008 +2* .* /n the Network Policy &er'er console tree, double9click Net$or& Access Protection, and then click System Hea%t =a%idators* 2* /n the details pane, under Name, double9click 7indo$s Security Hea%t =a%idator* )* /n the 7indo$s Security Hea%t =a%idator Properties dialo" bo4, click Configure* D* Clear all check bo4es e4cept A fire$a%% is enab%ed for a%% net$or& connections * &ee the followin" e4a!ple*

@* Click (6 to close the 7indo$s Security Hea%t =a%idator dialo" bo4, and then click
18

To configure defau%t system user ea%tc%ass #a%idators scope options in 7indo$s Ser#er 1443 '1 A* Close the Network Policy &er'er console*

To enab%e open t te e DHCP defau%t conso%e NAP profi%e

(6 to close the 7indo$s Security Hea%t =a%idator Properties dialo" bo4*

.* /n the Network Policy &er'er console tree, open Net$or& Access Protection=System Hea%t =a%idators=7indo$s Security Hea%t =a%idator=Settings* 2* /n the details pane, under Name, double9click Defau%t Configuration* )* /n the 7indo$s Security Hea%t =a%idator dialo" bo4, in the left pane, select 7indo$s C+7indo$s =ista, and then under C oose po%icy settings for 7indo$s Security Hea%t =a%idator, clear all the check bo4es e4cept for A fire$a%% is enab%ed for a%% net$or& connections* D* Click (6 to close the 7indo$s Security Hea%t =a%idator dialo" bo4, and then close the Network Policy &er'er console*

Configure DHCP on NPS*

NP&. is the !e!ber ser'er that will pro'ide 23CP addressin"* 1he 23CP ser'ice was partially confi"ured durin" installation with &er'er Mana"er* #e will confi"ure scope options further for NAP*

(pen t e DHCP conso%e

.* Click Start, click 'un, type d cpmgmt,msc, and then press :N1:+* 2* 6ea'e this window open for all 23CP confi"uration tasks*

Enab%e NAP settings for t e scope

First, enable the default NAP profile for the NAP scope* .* /n the 23CP console, double9click nps*,contoso,com, and then double9click !P#@* 2* +i"ht9click Scope D*01,*23,4,4E NAP Scope, and then click Properties* )* <n the Net$or& Access Protection tab, under Net$or& Access Protection Settings, choose Enab%e for t is scope, 'erify that /se defau%t Net$or& Access Protection profi%e is chosen, and then click (6*

Configure t e defau%t user c%ass

Ne4t, confi"ure scope options for the default user class* 1hese ser'er options are used when a co!pliant client co!puter atte!pts to access the network and obtain an /P address fro! the 23CP ser'er* .* /n the 23CP console tree, under Scope D*01,*23,4,4E NAP Scope, ri"ht9click Scope
19

To configure defau%t NAP c%ass scope options (ptions, and then click Configure (ptions* 2* <n the Ad#anced tab, 'erify that Defau%t /ser C%ass is chosen ne4t to /ser c%ass* )* &elect the 442 DNS Ser#ers check bo4, in !P Address, under Data entry, type *01,*23,4,*: and then click Add* D* &elect the 4*5 DNS Domain Name check bo4, in String #a%ue, under Data entry, type contoso,com, and then click (6* 1he contoso*co! do!ain is a full9access network assi"ned to co!pliant NAP clients* Note 1he 44> 'outer option is confi"ured in the default user class if a default "ateway is re0uired for client co!puters* >ecause all co!puters in the test lab are located on the sa!e subnet, this option is not re0uired*

Configure t e defau%t NAP c%ass

Ne4t, confi"ure scope options for the default network access protection class* 1hese ser'er options are used when a nonco!pliant client co!puter atte!pts to access the network and obtain an /P address fro! the 23CP ser'er* .* /n the 23CP console tree, under Scope D*01,*23,4,4E NAP Scope, ri"ht9click Scope (ptions, and then click Configure (ptions* 2* <n the Ad#anced tab, ne4t to /ser c%ass, choose Defau%t Net$or& Access Protection C%ass* )* &elect the 442 DNS Ser#ers check bo4, in !P Address, under Data entry, type *01,*23,4,*, and then click Add* D* &elect the 4*5 DNS Domain Name check bo4, in String #a%ue, under Data entry, type restricted,contoso,com, and then click (6* 1he restricted*contoso*co! do!ain is a restricted9access network assi"ned to nonco!pliant NAP clients* Note 1he 44> 'outer option is confi"ured in the default NAP class if a default "ateway is re0uired for client co!puters to reach the 23CP ser'er or re!ediation ser'ers on a different subnet* >ecause all co!puters in the test lab are located on the sa!e subnet, this option is not re0uired*

Configure NAP c%ient settings in Group Po%icy

1he followin" NAP client settin"s will be confi"ured in a new ?roup Policy ob7ect (?P< usin" the ?roup Policy Mana"e!ent feature on NP&.: NAP enforce!ent clients NAP A"ent ser'ice &ecurity Center user interface

20

To configure security NAP c%ient fi%ters settings for t in e NAP Group c%ient Po%icy settings GP( After these settin"s are confi"ured in the ?P<, security filters will be added to enforce the settin"s on co!puters you specify* 1he followin" section describes these steps in detail* .* <n NP&., click Start, click 'un, type gpme,msc, and then press :N1:+* 2* /n the Bro$se for a Group Po%icy (b;ect dialo" bo4, ne4t to Contoso,com, click the icon to create a new ?P<, type NAP c%ient settings for the na!e of the new ?P<, and then click (6* )* 1he ?roup Policy Mana"e!ent :ditor window will open* Na'i"ate to Computer Configuration+Po%icies+7indo$s Settings+Security Settings+System Ser#ices * D* /n the details pane, double9click Net$or& Access Protection Agent* @* /n the Net$or& Access Protection Agent Properties dialo" bo4, select the Define t is po%icy setting check bo4, choose Automatic, and then click (6* A* /n the console tree, open Net$or& Access ProtectionBNAP C%ient ConfigurationBEnforcement C%ients* -* /n the details pane, ri"ht9click DHCP Fuarantine Enforcement C%ient, and then click Enab%e* 8* /n the console tree, ri"ht9click NAP C%ient Configuration, and then click App%y* Note /f you are runnin" #indows &er'er 2008 +2, you can skip this step* B* /n the console tree, na'i"ate to Computer ConfigurationBPo%iciesBAdministrati#e Temp%atesB7indo$s ComponentsBSecurity Center* .0* /n the details pane, double9click Turn on Security Center -Domain PCs on%y., choose Enab%ed, and then click (6* ..* Close the Group Po%icy ?anagement Editor window* .2* /f you are pro!pted to apply settin"s, click Ges*

Configure security fi%ters for t e NAP c%ient settings GP(

Ne4t, confi"ure security filters for the NAP client settin"s ?P<* 1his pre'ents NAP client settin"s fro! bein" applied to ser'er co!puters in the do!ain* .* <n NP&., click Start, click 'un, type gpmc,msc, and then press :N1:+* 2* /n the ?roup Policy Mana"e!ent Console (?PMC tree, na'i"ate to <orest: Contoso,comBDomainsBContoso,comBGroup Po%icy (b;ectsBNAP c%ient settings * )* /n the details pane, under Security <i%tering, click Aut enticated /sers, and then click 'emo#e* D* #hen you are pro!pted to confir! the re!o'al of dele"ation pri'ile"e, click (6* @* /n the details pane, under Security <i%tering, click Add* A* /n the Se%ect /ser: Computer: or Group dialo" bo4, under Enter t e ob;ect name to se%ect -e9amp%es., type NAP c%ient computers, and then click (6*
21

To insta%% t e operating system on CL!ENT* -* Close the ?PMC* Note

To configure TCP+!P on CL!ENT*

C6/:N1. will be added to the NAP client co!puters security "roup after it is 7oined to the do!ain*

Configure CL!ENT*
C6/:N1. is a co!puter runnin" #indows $ista or #indows - that you will use to de!onstrate how NAP can be used with 23CP to help protect a network fro! nonco!pliant client co!puters* C6/:N1. confi"uration is perfor!ed in the followin" steps: /nstall the operatin" syste!* Confi"ure 1CP=/P* $erify network connecti'ity* Coin the co!puter to the do!ain* Add C6/:N1. to the NAP client co!puters security "roup and restart the co!puter* :nable 'un on the Start !enu* $erify ?roup Policy settin"s*

1he followin" sections e4plain these steps in detail*

!nsta%% 7indo$s =ista on CL!ENT*

.* &tart your co!puter usin" the product discs for #indows $ista or #indows -* 2* #hen pro!pted for the installation type, choose Custom !nsta%%ation* )* #hen pro!pted for a co!puter na!e, type CL!ENT** D* <n the Se%ect your computerHs current %ocation pa"e, click 7or&* @* Follow the rest of the instructions that appear on your screen to finish the installation*

Configure TCP+!P on CL!ENT*

.* Click Start, click 'un, and then type ncpa,cp%* !mportant Eou !ust enable the 'un co!!and to co!plete this step* For !ore infor!ation about how to enable the 'un co!!and, see 1o enable +un on the &tart !enu procedure later in this docu!ent* 2* +i"ht9click Loca% Area Connection, and then click Properties* )* /n the Loca% Area Connection Properties dialo" bo4, clear the !nternet Protoco% =ersion 2 -TCP+!P#2. check bo4* 1his will reduce the co!ple4ity of the lab, particularly for those who are not fa!iliar with /P'A*
22

To use t e ping command to c ec& net$or& connecti#ity

To configure DC* as a remediation ser#er

D* Click !nternet Protoco% =ersion @ -TCP+!P#@., and then click Properties* @* $erify that (btain an !P address automatica%%y and (btain DNS ser#er address automatica%%y are selected* A* Click (6, and then click C%ose to close the Loca% Area Connection Properties dialo" bo4* -* Close the Net$or& Connections and Net$or& and S aring Center windows*

Test net$or& connecti#ity for CL!ENT*

>ecause C6/:N1. has not 7oined the do!ain, it has not yet recei'ed ?roup Policy settin"s to start the NAP A"ent ser'ice* #hen the NAP A"ent ser'ice is not runnin", C6/:N1. is e'aluated as non9NAP9capable* >y default, the NAP confi"uration wi8ard pro'ides restricted access to non9 NAP9capable clients* +un the ping co!!and fro! C6/:N1. to confir! the loss of network co!!unication between C6/:N1. and 2C.* .* Click Start, click A%% Programs, click Accessories, ri"ht9click Command Prompt, and then click 'un as administrator* 2* /n the co!!and window, type ping *01,*23,4,*, and then press :N1:+* )* $erify that the response reads GP/N?: trans!it failed*H D* /n the co!!and window, type ipconfig, and then press :N1:+* @* /n the co!!and output, 'erify that the 'alue of Connection"specific DNS Suffi9 is restricted,contoso,com and that the 'alue of Subnet ?as& is 155,155,155,155* C6/:N1. is confi"ured with a classless network address, causin" its network access to be restricted* A* /n the co!!and window, type route print "@, and then press :N1:+* -* /n the co!!and output, below Acti#e 'outes, 'erify that a Net$or& Destination of *01,*23,4,* is not displayed* >ecause C6/:N1. has a classless network address and no acti'e route to contact 2C., it does not ha'e access to do!ain ser'ices* 8* /n the co!!and output, below Acti#e 'outes, 'erify that a Net$or& Destination of *01,*23,4,1 is displayed* 1his is the /P address of NP&., which ser'es as the NAP 23CP enforce!ent ser'er for the test lab* 1he NAP 23CP enforce!ent ser'er is auto!atically a'ailable to clients on the restricted network* Eou do not ha'e to add this ser'er to a re!ediation ser'er "roup* B* 6ea'e the co!!and window open for the followin" procedure*

Configure DC* as a remediation ser#er

Ne4t, confi"ure 2C. as a re!ediation ser'er so that C6/:N1. has access to 2N& and Acti'e 2irectory when it is "ranted restricted access* .* <n NP&., click Start, click 'un, type nps,msc, and then press :N1:+* 2* /n the Network Policy &er'er console tree, open Po%icies, and then click Net$or&
23

To rene$ !P addressing on CL!ENT* Po%icies* )* /n the details pane, double9click NAP DHCP Non NAP"Capab%e* D* <n the Settings tab, under Net$or& Access Protection, click NAP Enforcement* @* 5nder 'emediation Ser#er Group and Troub%es ooting /'L , click Configure* A* /n the 'emediation Ser#ers and Troub%es ooting /'L dialo" bo4, under 'emediation Ser#er Group, click Ne$ Group* -* /n the Ne$ 'emediation Ser#er Group dialo" bo4, under Group Name, type Domain ser#ices, and then click Add* 8* /n the Add Ne$ Ser#er dialo" bo4, under <riend%y name, type DC** 5nder !P address or DNS name, type *01,*23,4,*, and then click (6 twice* B* $erify that the new re!ediation ser'er "roup is selected under 'emediation Ser#er Group, and then click (6 to close the 'emediation Ser#ers and Troub%es ooting /'L dialo" bo4* .0* Click (6 to close the NAP DHCP Non NAP"Capab%e Properties window* ..* /n the details pane, double9click NAP DHCP Noncomp%iant* .2* Click the Settings tab, click NAP Enforcement, and then, under 'emediation Ser#er Group and Troub%es ooting /'L, click Configure* Fro! the list under 'emediation Ser#er Group, select Domain ser#ices, and then click (6 twice* 2C. has now been enabled as a re!ediation ser'er for non9NAP9capable and nonco!pliant co!puters* .)* 6ea'e the Network Policy &er'er console open for the followin" procedure*

'ene$ !P addressing on CL!ENT*

Ne4t, obtain a new /P address profile for C6/:N1. fro! 23CP* .* <n C6/:N1., in the Administrator: Command Prompt window, type ipconfig +rene$, and then press :N1:+* 2* /n the co!!and window, type ping *01,*23,4,*, and then press :N1:+* )* $erify that the response reads G+eply fro! .B2*.A8*0*.*H D* /n the co!!and window, type ipconfig, and then press :N1:+* @* /n the co!!and output, 'erify that the 'alue of Connection"specific DNS Suffi9 is restricted,contoso,com and that the 'alue of Subnet ?as& is 155,155,155,155* >ecause the NAP A"ent ser'ice is not runnin" on C6/:N1., restricted access to the network is still enforced* A* /n the co!!and window, type route print "@, and then press :N1:+* -* /n the co!!and output, below Acti#e 'outes, 'erify that a Net$or& Destination of *01,*23,4,* is displayed* >ecause 2C. is a !e!ber of the re!ediation ser'ers "roup, C6/:N1. has been "ranted access to do!ain ser'ices on the restricted network* 8* Close the co!!and window*

24

To ;oin CL!ENT* to t e Contoso,com domain

To add CL!ENT* to t e NAP c%ient computers security group

Aoin CL!ENT* to t e Contoso,com domain

>ecause C6/:N1. now has access to do!ain ser'ices, it can be 7oined to the do!ain* .* Click Start, ri"ht9click Computer, and then click Properties* 2* 5nder Computer name: domain: and $or&group settings, click C ange settings* )* /n the System Properties dialo" bo4, click C ange* D* /n the Computer Name+Domain C anges dialo" bo4, select Domain, and then type Contoso,com* @* Click ?ore, and in Primary DNS suffi9 of t is computer, type Contoso,com* A* Click (6 twice* -* #hen pro!pted for a user na!e and password, type the user na!e and password for the 5ser. account, and then click (6* 8* #hen you see a dialo" bo4 that welco!es you to the Contoso*co! do!ain, click (6* B* #hen you see a dialo" bo4 that tells you that you !ust restart the co!puter to apply chan"es, click (6* .0* /n the System Properties dialo" bo4, click C%ose* ..* /n the dialo" bo4 that pro!pts you to restart the co!puter, click 'estart Later* Note >efore you restart the co!puter, you !ust add it to the NAP client co!puters security "roup so that C6/:N1. will recei'e NAP client settin"s fro! ?roup Policy*

Add CL!ENT* to t e NAP c%ient computers security group

After 7oinin" the do!ain, C6/:N1. !ust be added to the NAP client co!puters security "roup so that it can recei'e NAP client settin"s* .* <n 2C., click Start, point to Administrati#e Too%s, and then click Acti#e Directory /sers and Computers* 2* /n the console tree, click Contoso,com* )* /n the details pane, double9click NAP c%ient computers* D* /n the NAP c%ient computers Properties dialo" bo4, click the ?embers tab, and then click Add* @* /n the Se%ect /sers: Contacts: Computers: or Groups dialo" bo4, click (b;ect Types, select the Computers check bo4, and then click (6* A* 5nder Enter t e ob;ect names to se%ect -e9amp%es. , type CL!ENT*, and then click (6* -* $erify that CL!ENT* is displayed below ?embers, and then click (6* 8* Close the Acti'e 2irectory 5sers and Co!puters console* B* +estart C6/:N1. to apply the new security "roup !e!bership*
25

To enab%e 'un on t e Start menu

To #erify Group Po%icy settings on CL!ENT*

Enab%e 'un on t e Start menu

1he run co!!and is useful for se'eral procedures in the test lab* 1o !ake it readily a'ailable, we will enable 'un on the Start !enu* .* After C6/:N1. has been restarted, click S$itc /ser, click (t er /ser and then lo" on to the C<N1<&< do!ain with the /ser* account you created* 2* +i"ht9click Start, and then click Properties* )* /n the Tas&bar and Start ?enu Properties window, select Start menu, and then click Customi8e* D* /n the Customi8e Start ?enu window, select the 'un command check bo4, and then click (6 twice*

=erify Group Po%icy settings

After it has been restarted, C6/:N1. will recei'e ?roup Policy settin"s to enable the NAP A"ent ser'ice and 23CP enforce!ent client* 1he co!!and line will be used to 'erify these settin"s* .* Click Start, click 'un, type cmd, and then press :N1:+* 2* /n the co!!and window, type nets nap c%ient s o$ grouppo%icy, and then press :N1:+* )* /n the co!!and output, under Enforcement c%ients, 'erify that the Admin status of the DHCP Fuarantine Enforcement C%ient is Enab%ed* D* /n the co!!and window, type nets nap c%ient s o$ state, and then press :N1:+* @* /n the co!!and output, under Enforcement c%ient state, 'erify that the !nitia%i8ed status of the DHCP Fuarantine Enforcement C%ient is Ges* A* Close the co!!and window*

=erifying NAP functiona%ity

1he followin" procedures are used to 'erify that the NAP infrastructure is functionin" correctly: $erification of NAP auto9re!ediation* C6/:N1. is auto!atically re!ediated when #indows Firewall is turned off, causin" #indows Firewall to be turned back on* $erification of NAP policy enforce!ent* NAP policy is re'ised to be !ore restricti'e, causin" C6/:N1. to be nonco!pliant with policy and unable to re!ediate itself* #hen C6/:N1. is in a nonco!pliant state, its network access will be restricted*

=erification of NAP auto"remediation

1he NAP 23CP nonco!pliant network policy specifies that nonco!pliant co!puters should be auto!atically re!ediated* 5se the followin" procedure to 'erify that C6/:N1. is auto!atically re!ediated to a co!pliant state when #indows Firewall is turned off*
26

To #erify t at CL!ENT* is remediated automatica%%y $ en 7indo$s <ire$a%% is turned off .* <n C6/:N1., click Start, and then click Contro% Pane%* 2* Click Security, click Security Center, and then click 7indo$s <ire$a%%* )* /n the 7indo$s <ire$a%% dialo" bo4, click C ange settings* D* /n the 7indo$s <ire$a%% Settings dialo" bo4, click (ff -not recommended., and then click (6* @* /n #indows &ecurity Center, you will see that the status of #indows Firewall is displayed as (ff and is then displayed as (n* A* Eou !i"ht see a !essa"e in the notification area that indicates the co!puter does not !eet health re0uire!ents* 1his !essa"e is displayed because #indows Firewall has been turned off* Click this !essa"e for !ore infor!ation about the health status of C6/:N1.* &ee the followin" e4a!ple*

-* 1he NAP client will auto!atically turn #indows Firewall on to beco!e co!pliant with network health re0uire!ents* 1he followin" !essa"e will appear in the notification area: T is computer meets t e re)uirements of t is net$or& * &ee the followin" e4a!ple*

27

To configure t e system ea%t #a%idator po%icy to re)uire anti#irus soft$are

>ecause auto9re!ediation occurs rapidly, you !i"ht not see one or both of these !essa"es*

=erification of ea%t po%icy enforcement

Network health policy enforce!ent will be 'erified by confi"urin" an additional re0uire!ent in network policy that is not !et by C6/:N1., and de!onstratin" that C6/:N1. is subse0uently placed on the restricted network*

Configure 7SH= to re)uire an anti#irus app%ication

Confi"ure NP&. so that anti'irus software is a re0uire!ent for syste! health* >ecause no anti'irus pro"ra! is installed on C6/:N1. and the NAP client co!ponents cannot re!ediate its health, C6/:N1. will be nonco!pliant* .* <n NP&., in the Network Policy &er'er console, open NPS -Loca%., then Net$or&
28

To re%ease and t en rene$ t e !P address on CL!ENT* Access Protection, then System Hea%t =a%idators* 2* 5nder Name, double9click 7indo$s Security Hea%t =a%idator* )* /n the 7indo$s Security Hea%t =a%idator Properties dialo" bo4, click Configure* D* /n the 7indo$s Security Hea%t =a%idator dialo" bo4, under =irus Protection, select the An anti#irus app%ication is on check bo4* @* Click (6, and then click (6 a"ain to close the 7indo$s Security Hea%t =a%idator Properties window*

'e%ease and rene$ t e !P address on CL!ENT*

1o ree'aluate the health state of C6/:N1. a"ainst the new network health re0uire!ents, turn #indows Firewall off* C6/:N1. will auto!atically re!ediate the #indows Firewall settin", but because an anti'irus pro"ra! is not installed, the health re0uire!ent for an anti'irus pro"ra! cannot be !et* 1herefore, C6/:N1. will re!ain in a nonco!pliant state and will obtain an /P address confi"uration for the restricted network* .* <n C6/:N1., in the 7indo$s <ire$a%% dialo" bo4, click C ange settings* 2* /n the 7indo$s <ire$a%% Settings dialo" bo4, click (ff -not recommended., and then click (6* )* /n #indows &ecurity Center, you will see that #indows Firewall is initially displayed as off, and then displayed as on* Althou"h #indows Firewall is turned on, C6/:N1. cannot install an anti'irus application auto!atically, so it will re!ain in a nonco!pliant state and its network access will be restricted*

=ie$ t e c%ient restriction state

>ecause the client co!puter is in a nonco!pliant state, the 23CP ser'er will assi"n an /P address to the client co!puter for the restricted network* Eou can tell that the client is on the restricted network because the 23CP ser'er assi"ns a connection9specific 2N& suffi4 of restricted*contoso*co!* 1he followin" fi"ure shows an e4a!ple*

29

To configure use a NetsNPS* command ea%t to re)uirements s o$ t e NAP to a%%o$ c%ientHs CL!ENT* ea%t state to become comp%iant

Eou !i"ht see a !essa"e in the notification area that indicates the co!puter does not !eet the corporate security re0uire!ents* =ie$ t e c%ientHs restriction state $it Nets Eou can also check the restriction state of the co!puter usin" a NAP Netsh co!!and* .* <n C6/:N1., at the co!!and pro!pt, type nets nap c%ient s o$ state, and then press :N1:+* 2* &croll up the co!!and window to display the C%ient state section* 1he 'estriction state should be H+estricted*H

A%%o$ CL!ENT* to become comp%iant

Ne4t, confi"ure NP&. to re!o'e the anti'irus health re0uire!ent so that C6/:N1. can be co!pliant* Eou can use ipconfig to release and renew the /P address on C6/:N1. to "enerate a new &o3* .* <n NP&., open the Network Policy &er'er console* 2* 2ouble9click 7indo$s Security Hea%t =a%idator* )* /n the 7indo$s Security Hea%t =a%idator Properties dialo" bo4, click Configure* D* /n the 7indo$s Security Hea%t =a%idator dialo" bo4, under =irus Protection, clear the An anti#irus app%ication is on check bo4* @* Click (6 twice to co!plete confi"uration of the #&3$* A* <n C6/:N1., type ipconfig +re%ease, and then type ipconfig +rene$ at the ele'ated co!!and pro!pt to obtain a new /P address confi"uration with unrestricted access* -* $erify that new /P address confi"uration is assi"ned the connection9specific 2N& suffi4 of contoso,com*
30

To re#ie$ set /AC NAP be c%ient a#ior of e#ents t e e%e#ation in E#ent prompt =ie$er for administrators

See A%so
http:=="o*!icrosoft*co!=fwlink=J6ink/dK@ADD)

Appendi9
1his appendi4 will help you with troubleshootin" techni0ues and the settin" of optional features in #indows &er'er 2008 or #indows &er'er 2008 +2 and #indows $ista or #indows -*

Set /AC be a#ior of t e e%e#ation prompt for administrators

>y default, 5ser Account Control (5AC is enabled in #indows &er'er 2008 or #indows &er'er 2008 +2 and #indows $ista or #indows -*1his ser'ice will pro!pt for per!ission to continue durin" se'eral of the confi"uration tasks described in this "uide* /n all cases, you can click Continue in the 5AC dialo" bo4 to "rant this per!ission, or you can use the followin" procedure to chan"e the 5AC beha'ior of the ele'ation pro!pt for ad!inistrators* .* Click Start, point to A%% Programs, click Accessories, and then click 'un* 2* 1ype secpo%,msc, and press :N1:+* )* /n the /ser Account Contro% dialo" bo4, click Continue* D* /n the left pane, double9click Loca% Po%icies, and then click Security (ptions* @* /n the ri"ht pane, double9click /ser Account Contro%: Be a#ior of t e e%e#ation prompt for administrators in Admin Appro#a% ?ode* A* Fro! the drop9down list bo4, choose E%e#ate $it out prompting, and then click (6* -* Close the Loca% Security Po%icy window*

'e#ie$ NAP c%ient e#ents

+e'iewin" infor!ation contained in NAP client e'ents can assist you with troubleshootin"* /t can also help you to understand NAP client functionality* .* Click Start, point to A%% Programs, click Accessories, and then click 'un* 2* 1ype e#ent#$r,msc, and press :N1:+* )* /n the left tree, na'i"ate to E#ent =ie$er-Loca%.BApp%ications and Ser#ices LogsB?icrosoftB7indo$sBNet$or& Access ProtectionB(perationa% * D* Click an e'ent in the !iddle pane* @* >y default, the Genera% tab is displayed* Click the Detai%s tab to 'iew additional infor!ation*
31

To re#ie$ NAP ser#er e#ents in E#ent =ie$er A* Eou can also ri"ht9click an e'ent and then click E#ent Properties to open a new window for re'iewin" e'ents*

'e#ie$ NAP ser#er e#ents

+e'iewin" infor!ation contained in #indows &yste! e'ents on your NAP ser'ers can assist you with troubleshootin"* /t can also help you to understand NAP ser'er functionality* .* Click Start and then click 'un* 2* 1ype e#ent#$r,msc, and press :N1:+* )* /n the left tree, na'i"ate to E#ent =ie$er-Loca%.BCustom =ie$sBSer#er 'o%esBNet$or& Po%icy and Access Ser#ices* D* Click an e'ent in the !iddle pane* @* >y default, the Genera% tab is displayed* Click the Detai%s tab to 'iew additional infor!ation* A* Eou can also ri"ht9click an e'ent and then click E#ent Properties to open a new window for re'iewin" e'ents*

32