Best of Q&A for the TechNet Webcast: 24 Hours of Windows Server 2008 (Part 18 of 24): Network Access Protection (Level 200)
Below are the best of the questions and answers that occurred during our TechNet Webcast entitled, "24 Hours of Windows Server 2008 (Part 18 of 24): Network Access Protection"
Thanks for attending! ...and if you haven't seen the webcast yet, you can click on the link above (or the picture to the left) to get to the registration page.
PS - here are the RESOURCES I pulled together for this webcast
Questions and Answers
“I am running XP SP3. how could find NAP client? I did look in the mmc and could not find the NAP Client snap-in.”
First of all – to those of you who heard me say on the webcast that you should be able to find it that way, I apologize. And I was correct in one sense.. that’s where it SHOULD be. But I hadn’t personally worked with XP SP3 yet (probably won’t ever, quite honestly). The reality of it is that you will need to configure the NAP Enforcement Client using NETSH. (Another reason to just go with Vista.)
To enable the NAP Client on XP SP3 you need to do the following three things:
- Enable the Network Access Protection Agent service to start automatically (same as with Vista – either on the local machine or through Group Policy):
- Start --> Run --> Services.msc
- Change the Network Access Protection Agent service to start automatically
- Start the Network Access Protection Agent service
- Enable the proper NAP Enforcement Clients (no MMC snap-in option on XP SP3, so it’s different if you want to enable it on the client without using Group Policy):
- Start --> Run --> CMD.exe
- Type netsh nap client set enforcement ID = ##### Admin = "Enable"
- Enable and start the Security Center service:
- Run --> GPEdit.msc
- Drill down to Computer Configuration | Administrative Templates | Windows Components | Security Center
- Enable the Security Center
- Start --> Run --> Services.msc
- Start the Security Center service
You will need to replace the ##### with the ID based on whichever enforcement method you are using. You can use the following IDs for the various enforcement methods:
- DHCP = 79617
- RAS = 79618
- IPSec = 79619
- TS Gateway = 79621
- EAP = 79623
Credit where credit is due: BIG thanks to “The Lazy Admin” for the article I “borrowed” this answer from.
“Can NAP be used to prevent people from using computers on our network that are not joined to our domain (without breaking UNIX boxes, printers, etc. that cannot be domain members)?”
I believe you would need to define policies to make exceptions to the rules that block other non-domain members on behalf of those machines that you trust. For DHCP-based NAP, it’s easy. Just give ‘em static addresses (which they probably already have). For IPSec, manually configure the cert (provided the devices support it).. though it’s not often that you’ll need to protect a sensitive server from a printer.
“Does the usage of health certificates in ‘IPSec - mode of the NAP’ require an existing PKI structure and auto-enrollment configured?”
Yes, it does. Auto-Enrollment will be how your "NAP Exempt" machines (such as the protected servers and your policy servers) get their health cert.. and you'll also configure the security settings on the Cert Server to allow the machine that is your HRA (Health Registration Authority) to be able to enroll for certificates on behalf of the clients have requested access and were found to be healthy.
“NAP replaces ISA?”
Nope. Two different things. ISA = Internet Security and Acceleration Server, which is a great corporate firewall solution (among other things). When I talk “firewall” in the context of NAP, I’m referring to the “host firewall”; the firewall protecting an individual server or workstation. And don’t be confused when I say “IAS”. That’s the old Internet Acceleration Server that contained RADIUS and RRAS capability.. which has been superseded in Windows Server 2008 by NPS (Network Policy Server), to include those old functionalities, as well as the NAP supporting role services.