Network Layout
Windows 2008 R2:
Active Directory Services
Active Directory Certificate Services—Enterprise Root CA
Create two user accounts: user1 and user2
Create an OU: NAP Clients
Create a security group: IPSec NAP Exemption
certtmpl.msc
Duplicate “Workstation Authentication” template
Template display name:System Health Authentication
Select the Publish certificate in Active Directory check box
Extensions tab
You can find out the Object Identifier for System Health Authentication is 1.3.6.1.4.1.311.47.1.1. If the CA is on Windows 2003 Enterprise OS, you must manually create the new application policy as:
Computers in IPSec NAP Exemption group will automatically get System Health Certificate.
Because Health Registration Authority will request the System Health Certificate for a client computer, Network SERVICE account must be granted Request Certificates, Issue and Manage Certificates, and Manage CA permissions.
certsrv.msc
New certificate template to issue:System Health Authentication
Default Domain Policy
Export the CA certificate from RootCA properties
Import the RootCA certificate into Trusted Root Certification Authorities in Default Domain Policy
Import the RootCA certificate into Trusted Root Certification Authorities of the local computer store because the vista machine is not a member of domain.
The single domain controller will be Network Policy Server and Health Registration Authority. This domain controller must be a member of the IPsec NAP exemption group so that it will have a health certificate immediately, allowing unrestricted communication with other computers on the network.
Add the domain controller to member list of IPSec NAP Exemption group.
Run Certutil –pulse
The Domain controller gets its System Health Certificate.
Add role: Network Policy and Access Services
“allow anonymous requests for health certificates” allows computers in a workgroup environment to be enrolled with health certificates.
Configuring NAP
Because the domain controller is HRA, just click “Next” button.
On the Configure User Groups and Machine Groups page, click Next. You do not need to configure groups for this test.
On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, and then click Next.
Configure SHVs
Remember the CA type is Enterprise CA.
Configure NAP Client settings in Group Policy
Create a new GPO: NAP client settings
Computer Configuration/Policies/Windows Settings/Security Settings/System Services
Network Access Protection Agent: automatic
open Network Access Protection\NAP Client Configuration\Enforcement Clients
Add a new Trusted Server Group: Trusted HRA Servers with URL address: https://R2.test.com/domainhra/hcsrvext.dll. The client computers in a domain environment will use this URL to obtain a health certificate.
Check IIS
Link the NAP Client Settings GPO to it.
Join the Windows 7 computer to the domain and move the computer account into NAP clients OU.
Because the GPO security filters apply to NAP Client Settings group only, you must add the Windows 7 computer object to the member list of NAP Client Settings group.
Restart computer
netsh nap client show grouppolicy
Vista Machine is not a member of the domain. A record line pointing to the Network Access Protection server will be added to its hosts file.
192.168.11.100 R2.test.com
Export the CA certificate and import it into the computer store
Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates.
Right click Certificates, point to All Tasks, and then click Import.
napclcfg.msc
IPSec Relying Party -- Enabled
https://R2.test.com/nondomainhra/hcsrvext.dll
Configure the “Network Access Protection” service to start automatically.
Net start napagent
netsh nap client show configuration
For all computers, allow ICMP echo request to pass through.
wf.msc
create a new Inbound Rules by selecting CUSTOM
Rule Name: ICMP Echo Request
Programs and services: All programs
Protocol type:ICMPv4
Specific ICMP types:Echo Request
From Windows 7 machine (domain member), after you ping R2.test.com, you will find the System Health Certificate is assigned to this machine from Certificate snap-in for computer.
From Vista machine, run ping r2.test.com
Communication is ok.
You will see the System Health Certificate is issued to the Vista machine from Certificate snap-in for computer.
Check the enforcement on both client computers
Because the auto remediation is enabled, when you turn off the Windows Firewall, it is automatically turned on.
Windows 7, 2008, Vista and Windows XP Service Pack 3 include a Windows Security Health Agent SHA that monitors the settings of the Windows Security Center.
Change the settings of Security Health Validator
Vista machine has the Antivirus program installed but Windows 7 does not have one.
Vista machine gets the Security Health Certificate but not Windows 7 machine.
Refresh the SoH on Client Computer
After CLIENT received a health certificate, you change Security Health Validator in NPS. We must trigger the sending of a new SoH from client computer that will be evaluated against the new Security Health Validator settings. This occurs when the health certificate on CLIENT expires, or when a change in client health status is detected. To produce a change in health status, Windows Firewall will be turned off. The Windows 7 machine doesn’t have an antivirus program. Its System Health Authentication certificate is automatically removed after you turn off the firewall, which triggers the sending of a new Status of Health from client to NPS.
IPSec Enforcement
The domain controller (also NPS ) accepts both secure and non-secure communication. We say that domain controller is in boundary network.
Edit the Default Domain Controller Policy
Windows Firewall with Advanced Security
Create a new Connection Security Rule
Rule Type: Isolation
Requirements: Request authentication for inbound and outbound connections
Authentication Method: Advanced – Customize button—Add button
Edit the NAP Client setting GPO
Windows Firewall with Advanced Security
New Connection Security Rule
Rule type: Isolation
Requirements: Require authentication for inbound connections and request authentication for outbound connections
Authentication Method: Advanced – Customize button—Add button—Select Computer Certificate from this certificate authority (CA) and Accept only health certificates.
Windows 7 machine: gpupdate /force
The vista machine is not part of the domain. The domain policy does not apply. Open the Windows firewall with advanced security snap-in directly and:
Because Windows 7 machine does not have a System Health Authentication certificate, the Vista machine cannot communicate with it. From the IPSec monitor window, there is an association to domain controller with system health authentication certificate (boundary network) but no association to Windows 7 computer. From Vista machine, it is unsuccessful when you ping Windows 7 machine.
Let me modify the Security Health Validator settings without the requirement of antivirus application.
Turn off the Windows Firewall to trigger the sending of SoH. From the certificate snap-in of both Vista and Windows 7 machines, you will find the System Health Authentication certificate obtained.
Vista and Windows 7 can communicate without problem.
The Auto-Remediation Server groups don't apply to NAP IPSec Enforcement. Even though you specify a Remediation Server Group, the non-compliant clients can access the servers in Remediation Server Group.