Network Access Policy and Server and Domain Isolation

9 Aug

IT industry long ago saw the issue of network vulnerability due to problematic computers
connecting to the network coming and has been furiously investigating solutions to enforce
company security policies physically. Network Access Control (NAC) was created to combat
this very issue. NAC provides a framework for vendors to produce services and features that
can interrogate a computer prior to a connection to the secure, internal network and ensure a
computer’s compliance with stated health requirements and security settings.
Microsoft has introduced its version of controlling network access with NAP, which provides
an enforcement service for health requirement policies prior to network access. NAP offers services,
components, and an application programming interface (API) that provide an inherent
solution for ensuring the health of servers and networks running Windows Server 2008 as
well as of computers running Windows Vista and Windows XP Service Pack 3 as clients.
After this lesson, you will be able to:
■ Describe Network Access Protection (NAP) and the various scenarios for its
■ Describe the architecture and components of NAP.
■ Identify purposes for specific NAP enforcement methods.
■ Describe the process for implementing NAP policies.
Estimated lesson time: 45 minutes
Network Access Protection Overview
Network Access Protection (NAP) provides a platform for validating the health of computer
systems prior to allowing access to protected networks. In doing so, a level of assurance can be
attained that a computer has at least been “inspected” prior to accessing the private network
every time a new connection is made. The validation a computer undergoes can now be logically
Prior to NAP, a typical connection from an external computer would involve a client connecting
across a public network such as the Internet, using a VPN connection. The client connection
would initially pass through a firewall or be forwarded by a proxy using the appropriate
communication ports required by the chosen security protocol. An authentication service
would then examine the credentials of the remote access client. If the credentials were successfully
authenticated, the client would be connected to whatever portion of the protected network
the connection was previously set up to accomplish.
256 Chapter 5 Designing a Network Access Strategy
This scenario has a major flaw. If the remote access client is exactly who it purports to be,
provides all the necessary credentials appropriately, and performs only the tasks on the private
network that the connection was set up to do, would there still be a problem? Maybe.
Suppose the remote access client performs unintended service requests, discovery, research,
or—worse—invasive software installations without the knowledge of the user of the computer
making the remote access connection. This has become one of the primary reasons for
implementing a NAP solution.
Real World
Paul Mancuso
After spending a considerable amount of time, effort, and money, you have deployed
across an entire network the following security services:
■ A top-of-the-line perimeter firewall device
■ An antivirus module inside the firewall device whose services you have configured
to check for updates once every hour
■ An automated update service for workstations and servers to call upon periodically
for updates to the operating system and installed applications
■ An enterprise anti-malware service that installed anti-malware agents on all client
workstations and servers within the environment, with centralized management
for setting and configuring changes and updating installed software and agents on
deployed computers
Feeling that the enterprise has a reasonable level of security, you go home and think that
tomorrow should now be a relatively peaceful day.
In the evening, a salesman visiting a branch office connects his laptop to the protected
network. The salesman’s laptop is considered safe merely because it is corporate property.
A worm that was released into the wild that day had infected the corporate offices
of another corporation, where the salesman had plugged the laptop in while delivering
a presentation. The worm can now perform functions inside the network from a device
considered to be a secure system. Tomorrow comes, and virus reports are coming out of
the woodwork.
Lesson 2: Network Access Policy and Server and Domain Isolation 257
Several factors could have caused the salesman’s laptop to become infected. First, it is
presumed that the salesman does not alter the basic security settings of either the security
software or the operating system. Also, the laptop is part of the domain; internal
group policies were set to ensure the timely scheduling of updates to either the operating
system or the security software on all computers, including those the salesman uses.
This last presumption leads to missed updates when the salesman is traveling and not
connected to the network.
These periodic lapses in acquiring updates provide opportunities for infections when
the salesman connects the laptop to unknown environments. The salesman’s laptop can
acquire all kinds of Trojan horse programs, viruses, and worms. The salesman travels
back to the office, plugs the infected laptop into the protected network, and unknowingly
unleashes the malicious programming on the laptop into the protected network.
The salesman has bypassed all the security precautions the enterprise administrator has
painstakingly set up in the network.
With a NAP solution, the possibilities of a traveling employee or guest unleashing an infection
into your secured network are lessened. The standard communication flow from a computer
being introduced to a network for its initial connection to the network would be altered to pass
through a perimeter network as the components of the NAP platform engage. The NAP platform
would now involve an entire NAP ecosystem with the connection request of an external
client now referred to as a NAP client. The perimeter network would still include the same
security services and devices as before, but now the NAP client’s request for access takes a
detour as the various components of the NAP platform engage to determine the health status
of the connecting client. Figure 5-7 shows the difference between a traditional remote access
connection and one involving a NAP platform.
Figure 5-7 shows that not only are NAP components now involved in the communication flow,
but also that the NAP client might be restricted to an external network referred to as the remediation
network, where additional servers using health resources update the client and bring
it into compliance.
258 Chapter 5 Designing a Network Access Strategy
Figure 5-7 Remote access connection comparison with and without NAP
VPN Remote Access
without NAP
VPN Remote Access
with NAP
VPN Server
NPS Service
(RADIUS Server)
with NAP
Active Directory
Domain Services
Active Directory
Domain Services
NPS Servers
VPN Server
SSoHR reply from
NAP Health Policy
Server in reponse
to SSoH from
VPN client
SSoH requested
from VPN client
sent to NAP Health
Policy Server
Lesson 2: Network Access Policy and Server and Domain Isolation 259
A complete NAP solution involves three distinct features:
■ Health state validation
■ Health policy compliance
■ Limited access
Health state validation is the process of validating a computer’s health and determining its
compliance. If the NAP platform is configured for a remediation network, a noncompliant
computer is restricted to only the remediation network’s subnet until it meets compliance. If
the NAP platform has been implemented initially with logging only to quantify compliance
issues, the health compliance of a computer is logged, and it is allowed to proceed with the
normal connection routine.
To monitor and possibly enforce health policy requirements, administrators create health policies.
The health policy component is the heart of a NAP solution. Health policies mandate the
level of software updates, operating system build, antivirus revision, and firewall features
implemented among many other possible health compliance factors.
When computer systems do not meet the level of health compliance necessary to connect to
the private network, an administrator can mandate one of two outcomes, either to allow the
connection and log the noncompliant issues or to shunt the connection to a remediation network
to configure and update any noncompliant aspect of the computer. This is the limitedaccess
feature of NAP.
NOTE Network Access Quarantine
Limited access has some similarities to Network Access Quarantine Control, but only in one principal
feature: limiting access for noncompliant computers when making dial-up and VPN connections.
Limited access when implemented with a NAP platform provides much capability and a
standardized structure. This structure facilitates the addition of third-party enhancements and services.
NAP also extends beyond VPN and dial-up communication to include protection when computer
systems connect on the LAN. For more information, please visit the Cable Guy article on
Network Access Quarantine at
Overview of NAP Infrastructure
The NAP infrastructure for all types of enforcement provides a similar architectural overview
as displayed in Figure 5-8. Only the devices and regions of interest to a NAP solution
are pictured.
260 Chapter 5 Designing a Network Access Strategy
Figure 5-8 Overview of the NAP architecture
■ The Internet lies outside the perimeter network and is separated by the perimeter firewall.
VPN clients access the internal network from this region.
■ The perimeter network is segregated by a perimeter and internal firewall.
VPN servers reside here and provide the initial point of enforcement for a NAP VPN
enforcement point. For security purposes, no other NAP service is needed in this location.
■ The restricted network is logically separated from the intranet for computers that,
although having passed authentication for the NAP enforcement points that require
authentication, have not yet acquired the necessary authorization to access the secure
intranet. Servers deployed here can include quite a range of NAP support services:
❑ The usual DNS, Windows Internet Name Service (WINS), Active Directory
domain controllers, and DHCP servers along with other supporting network infrastructure
devices can be deployed.
NPS Server
Perimeter Network Infrastructure
(AD, DHCP, etc.)
NAP Services
NAP Health Policy
Health Registration
Lesson 2: Network Access Policy and Server and Domain Isolation 261
❑ Servers supporting software updates such as Windows Server Update Services
(WSUS) can be deployed.
❑ For wired switches employing 802.1x enforcement, any switch ports can be associated
logically with the restricted network.
❑ For wireless access points employing 802.1x enforcement, the entire access point
might be logically associated with the restricted network because, at any time, it
can be servicing compliant and noncompliant computers.
■ The intranet is considered the secured network for most NAP enforcement methods and
contains the corporate environment. NAP IPsec enforcement includes an additional logical
boundary between two of its zones necessary for IPsec enforcement operation.
❑ The boundary network is where Health Registration Authority servers and, possibly,
NAP CAs, NPS servers, and IPsec remediation servers reside.
❑ The secure network is where the remaining portion of all NAP enforcement components
resides. These components are the NAP health policy servers, the health
requirement servers, the RADIUS proxy servers, and the NPS servers’ endpoints.
Where NAP Works
NAP can be implemented in any scenario in which a computer or network device has left a network
and requires a new connection when brought back to the network. Following are specific
scenarios of this type of event.
■ Desktop computers that have been dormant for periods of time
■ Laptops for roaming users
■ Personal desktops and laptops of corporate users when connecting to the network to
retrieve e-mail and other data
■ Laptops of guests
■ Laptops and desktops from users of partner firms connected by an extranet
This list comprises the general categories in which a NAP solution would provide a level of
assurance of the health of a connected computer. Due to the diversity of these categories, the
same level of enforcement of noncompliant computers might not be possible in all situations.
Computers that are unmanaged, such as partner computers, home computers, laptops,
and those of guests would be sent to the restricted network and, might not be required
to undergo remediation, but also would not be allowed into the private network. Managed
computers provided by the corporation could institute automatic remediation for any of its
computers moved into the restricted network. Options to remediate would vary, depending
on the situation.
262 Chapter 5 Designing a Network Access Strategy
Considerations for NAP Enforcement
When deliberating between the types of NAP enforcement methods to institute within your
network, you need to know the strengths and weaknesses of each method. How does each
method deal with non-NAP capable computers? What is required in each method to administer
unmanaged computers (computers not part of the internal AD DS)? In planning a NAP
solution, consider that all the NAP enforcement methods have one or more of the following
■ NAP does not stop attackers.
■ NAP, to some degree, implies a trust with the NAP client.
■ NAP does not remove harmful software from connecting computers.
■ NAP should be treated as an assurance feature.
NAP cannot stop an attacker. A malicious user, whether an employee, guest, or outside user,
might provide all the necessary compliance for access to your network but still launch an
attack when inside your network.
NAP indirectly assumes that the client has not provided false settings, configurations, or modifications
to installed software to attain a false positive of compliance. Remember, you are
essentially asking the computer owner whether everything on the computer is fine and he or
she has not falsified, concealed, or knowingly allowed anyone to configure or install software
on this computer. Does this sound similar to the security warnings you might hear a dozen
times an hour at any airport?
NAP provides a health statement based on the appearance of sound security configurations,
settings, and installed software. It does not scan the computer for malicious software but,
rather, assumes that the verified health state of a computer means that another subsystem or
configuration on an installed security software application performs that feature.
Finally, NAP is an assurance feature. You are determining that the computers connecting to
your network and communicating with the secure internal environment have applied the necessary
security precautions to prevent an outbreak. Remember, if someone with malicious
intent were to circumvent your NAP solution, the assurance that all other computers have
complied with your NAP policies will help deter an attacker from damaging your environment
or possibly acquiring sensitive information. As an enterprise administrator, realize your NAP
solution was not meant to stop an employee or would-be attacker intent on stealing information;
that is not the role a NAP infrastructure is meant to play.
Planning NAP IPsec Enforcement
When looking for the strongest enforcement method to apply within your network, NAP IPsec
enforcement provides the most robust and tamper-resistant solution compared to all other
NAP enforcement methods. IPsec enforcement has these advantages:
Lesson 2: Network Access Policy and Server and Domain Isolation 263
■ Tightly controlled enforcement that not even the local administrator is capable of
■ Upgrades to network infrastructure devices such as hubs, switches, and routers to support
NAP are unnecessary
■ Granular control to network access
■ Easier avenue to end-to-end encryption of sensitive communications
Even by manipulating settings and the configuration of the local computer, administrators
cannot bypass health certificates issued by the Health Registration Authority (HRA). Because
all other computers are also protected by the same means, there is no way to subvert this
requirement. Introducing new switches or other network devices provides no means around
the required legitimate health certificate to communicate with hosts expecting the certificate
during the IPsec negotiation.
IPsec works at layer 3 and uses a logical connection that is above the physical layers in the
network; bypassing it would require modification or extensive reconfiguration of physical
IPsec allows an administrator to control communication pathways end-to-end. An administrator
can create hardened IPsec policies that dictate source and destination IP addresses along
with source and destination ports that are allowed for communication and must be encrypted.
IPsec enforcement can also control access to the network stringently but use a general
approach to managing communication. If you use IPsec enforcement to tightly control access
to the secure network, you have already taken a large leap toward encrypting sensitive traffic
within your environment.
The disadvantages of an IPsec enforcement solution deserve serious consideration as well:
■ It requires creation and maintenance of network zones for the logical separation of network
■ It requires the establishment of an internal PKI. If one already exists, it might need a
minor overhaul if its creator did not anticipate the additional load that an IPsec enforcement
solution will incur.
■ It requires another series of servers, which must be managed for configuration, load balancing,
and high availability. Loss of the ability to issue health certificates would mean a
catastrophic loss of communication within the environment.
When weighing the advantages and disadvantages of a NAP solution using IPsec enforcement,
an organization has to consider the increased security that would be provided. IPsec enforcement
provides not only the direct benefits offered by a NAP solution but also the increased
benefits of data confidentiality when communicating throughout the network environment.
264 Chapter 5 Designing a Network Access Strategy
Designing NAP IPsec Enforcement
When planning NAP IPsec enforcement for any organization, you need to establish the security
zones first and determine which services to offer in the boundary network. The three
security zones for an IPsec solution are:
■ Restricted network
■ Boundary network
■ Secure network
Restricted Network The restricted network, also referred to as the remediation network, is
not the same as the perimeter network. The restricted network is a select network where noncompliant
computers have limited access to services to perform remediation. Computers
placed into the restricted network consist of either noncompliant NAP clients or non-NAPcapable
clients. For IPsec enforcement, the restricted network includes only these devices.
Computers in the restricted network can initiate communication with computers in the
restricted and boundary networks. Neither communication is protected by IPsec. Computers
in all three networks, however, can initiate communication with computers in the restricted
network. This communication is not protected by IPsec either.
Non-NAP-compliant computers have already attempted communication with an HRA and
have received a System Statement of Health Response (SSoHR) that contains the Statement of
Health Responses (SoHRs) stating which system health agents (SHAs) are noncompliant. The
non-NAP-compliant computer in the restricted network will initiate contact with servers in the
boundary network to perform remediation. After remediation has been performed, the non-
NAP-compliant computer will try again to attain a health certificate. The computer will go
through the process of accumulating, across all SHAs, a Statement of Health (SoH) and submit
a System Statement of Health (SSoH) to an HRA. The HRA, using System Health Validators
(SHVs), will process all SoHs on the SSoH to formulate its SSoHR.
Upon receiving the SSoHR that shows the NAP client as compliant, the HRA also issues a
health certificate so that the NAP client is now part of the secure network and initiates IPsecauthenticated
communication with computers in either the boundary network or the secure
Non-NAP-capable computers are those of guests and other unsupported operating systems
such as any version of Windows earlier than Windows XP SP3, Apple Macintosh computers,
and UNIX computers. A guest computer can be NAP capable but, because it is unmanaged
(not part of AD DS), will more than likely be treated like a non-NAP-capable computer unless
network policies dictate otherwise.
Boundary Network The boundary network contains computers responsible for remediation
as well as for the HRAs, support services such as DNS, AD DS, and DHCP servers, WSUS
and possibly, the NAP CAs. Because the boundary network requires communication from
Lesson 2: Network Access Policy and Server and Domain Isolation 265
computers residing in the restricted and secure networks, IPsec policies should allow for
IPsec-authenticated traffic as well as for unauthenticated traffic. Computers in the boundary
network should be managed computers. This enables them to receive their IPsec policies and
changes to those policies through Group Policy.
Boundary servers, when communicating with computers in the restricted network, allow
unauthenticated communication because computers in the restricted network do not contain
the necessary health certificates. When boundary servers communicate with servers in the
restricted network, IPsec-authenticated traffic is required.
There is a twist to this last statement. The boundary computers themselves are the ones that
offer the update services, have the necessary configuration for compliance, and are part of the
NAP components. To ensure that they are capable of initiating IPsec-authenticated communication,
they also require a health certificate. To provide these computers with a health certificate,
create an IPsec NAP exemption group whose membership includes all the computers of
the boundary network. Configure a Group Policy setting that sets the NAP IPsec exemption
group for certificate autoenrollment to acquire the necessary health certificate. Because the
computers of the exemption group need to hold onto this certificate for the period of time they
are performing their services, ensure that the template used to issue the certificate has been set
for an extended period of time.
Computers from the restricted network as well as the computers in the boundary network
need authentication services. Domain controllers located in the boundary network should be
Secure Network The secure network includes all computers that have passed health validation
and have acquired a health certificate. The remaining portion of the NAP components
related to IPsec enforcement also resides here. These components consist of the following:
■ NAP Health Policy servers
■ Health Requirement servers
■ Root CAs
■ RADIUS proxy servers
Computers within this network should be managed computers (part of AD DS). This enables
them to acquire their IPsec policies and any configuration changes to your NAP environment
through Group Policy.
Scaling NAP IPsec Enforcement for Small Environments
When deploying components for NAP IPsec enforcement, you have the opportunity to decide
which components can be installed together. In smaller environments, it might be appropriate
to consolidate several services on one computer. The issue becomes deciding which services to
install together.
266 Chapter 5 Designing a Network Access Strategy
The HRA must be able to support unprotected communication from NAP clients, and you
should, therefore, install the HRA in the boundary network. Because the load on the HRA in
a small environment might not be that heavy, you might decide to install it on a computer that
has one or more of the following services other computers in the boundary network also need:
■ NPS configured for the NAP Health Policy Server role
If your environment is expected to grow, it would be wise to move some of these components
to another server. You can then assume that the server installed with the HRA would be
deployed in the boundary network, and another computer with the remaining services would
be deployed in the secure network.
IMPORTANT Splitting the HRA and the NAP Health Policy Server role
If you split the HRA and the NAP Health Policy Server role to two computers, you still need to
install the NPS role on the HRA computer. Then configure a RADIUS server group and a connection
request policy for the local NPS service to forward requests to the remote RADIUS server group in
the secure network.
Administrators of extremely small sites of 15 or fewer computers might consider employing
ISA Server 2006. ISA Server can create a site-to-site VPN link to the main office boundary network.
The connection from the VPN server in the boundary network can be treated like any
other local connection requiring IPsec enforcement to obtain a certificate initially. After a computer
at the remote office has obtained a health certificate, IPsec rules can be managed granularly
to ensure that the branch office computer is able to communicate only with the
necessary services at the remote office, through the site-to-site VPN, and in the boundary network
for remediation and renewal of certificates. ISA Server would require a certificate as well
and should probably be included in the IPsec exemption group. Ensure that a computer certificate
is issued to the computer running ISA Server for an extended period of time.
Scaling NAP IPsec Enforcement for Larger Environments
For larger environments, several components require a thorough design review to ensure high
availability and load balancing of specific components. You can begin by deciding which of the
following services will be installed individually on at least two or more computers in the
boundary network at the corporate office:
■ Subordinate NAP CA
■ Remediation server services
Lesson 2: Network Access Policy and Server and Domain Isolation 267
By providing fault tolerance for the HRA, the RODCs, and the NAP CA, you are ensuring a
healthy environment. Remember that by employing IPsec enforcement, you are required to
have these services running constantly. If one or more of these services become unavailable,
health certificates will expire, and communication within the network will fail. Ensuring the
ability of NAP clients to acquire health certificates is essential because all communication
depends upon the necessity of each computer to present a valid health certificate when
attempting to communicate with another computer.
In the secure network, deploy at least two NAP health policy servers. Configure the HRA computers
as RADIUS clients of the NAP health policy servers. To ensure proper load balancing
when configuring the remote RADIUS server group of the NPS service on the HRA computers,
use the same priority and weight settings for all members of the RADIUS server group on each
of the HRA computers.
For deployments at the branch offices, consider using the deployment models discussed previously
for a small company. The services offered at the branch offices would model the same
considerations given to a smaller company with a single site.
PKI Support for IPsec Enforcement
IPsec enforcement use of health certificates requires you, as the enterprise administrator, to
reexamine the role PKI currently has within your environment. If a PKI does not exist, you
need to deploy one. If one already exists, consider the additional load balancing and management
that will be needed.
Smaller environments that already have a PKI probably require only the creation of a subordinate
CA for NAP. This CA can be deployed in the boundary networks on the HRA to conserve
server resources.
Larger environments require more planning because you now need to consider additional
aspects of PKI when employed for use with NAP IPsec enforcement. The load on the CA issuing
health certificates will be directly proportional to:
■ The number of NAP clients in the environment.
■ The lifetime of a health certificate.
The number of NAP clients is not something that you can truly control because deploying a
NAP solution would entail using it pervasively throughout the environment.
The lifetime of the health certificate is something you can administer, and it has a direct influence
over the load on your NAP CAs. Microsoft recommends for best practices to keep the lifetime
at a minimum, preferably four hours. Reducing this time increases the load on the NAP
CAs for renewals. Increasing the time, although reducing the load on the NAP CAs, also
increases the likelihood that a computer can be out of compliance for a longer period due to
changes in the health requirement policy.
268 Chapter 5 Designing a Network Access Strategy
Structure of the PKI For most environments, adding an additional subordinate CA to issue
health certificates for NAP is sufficient. Microsoft recommends that, in large environments,
administrators create an entirely new PKI for NAP. You need to install a new root CA on a
server within the secure environment and secure its private key with a hardware security module
(HSM). Create subordinate CAs for NAP to issue the health certificates. These can be
deployed in the boundary network and given the same security consideration as the RODCs
deployed there. This would mean the removal of all unnecessary services and provide a limited
attack surface. Securing its private key is not as critical as securing the root CA because
certificates issued by it will have a limited lifetime.
You do not need to worry about issuing timely certificate revocation lists (CRLs) for this portion
of your PKI because the certificates will expire long before the CRLs are published. In
addition, an OCSP responder service is also unnecessary due to the limited lifetime of your
health certificates.
Configuring Additional NAP Components on Clients System health agents from thirdparty
members need to be installed on all NAP clients. A variety of software distribution methods
is available to an administrator. You can use any one of the following not only for IPsec
enforcement but also for VPN enforcement, 802.1x enforcement, and DHCP enforcement,
which are discussed later in this chapter:
■ Software deployment or logon scripts through Group Policy.
■ Desktop management software such as Microsoft System Center Configuration Manager
■ Manual installation for unmanaged computers.
■ Shares on remediation servers. Configure the troubleshooting URLs to instruct the user
to install the missing SHAs.
NOTE Troubleshooting URLs
Troubleshooting URLs are configured as part of the remediation experience in case clients that fail
compliance do not have the Configuration Manager client installed. On one of the remediation
servers installed in the restricted network, configure a Web URL to help instruct remediation clients
on the location of software and options to choose to help acquire a successful health validation.
Configuring NAP Health Policy Servers The NPS server running the NAP health policy
server can be configured with additional third-party SHVs. Installation instructions for the
third-party SHVs are provided by the third-party vendor. The SHVs must be installed on all
NAP health policy servers participating in the NAP solution for IPsec as well as for VPN
enforcement, 802.1x enforcement, and DHCP enforcement, which are discussed later in this
chapter. Windows Server 2008 provides the default Windows Security Health Validator SHV
that provides security settings for the Windows Security Center on Windows NAP clients.
Lesson 2: Network Access Policy and Server and Domain Isolation 269
Planning NAP VPN Enforcement
VPN enforcement in NAP is supported for VPN remote access connections by using PPP, specifically
working in conjunction with the PPP authentication phase. Windows XP SP3, Windows
Vista, and Windows Server 2008 support the remote access quarantine enforcement client for
NAP clients.

No comments yet

Leave a Reply

You must be logged in to post a comment.