646 Windows Server 2008 Networking and Network Access Protection (NAP) To Configure the Network Policy and Access Services Role on an HRA Computer 1. Run Server Manager on the HRA computer. 2. Under Roles Summary, click Add Roles. 3. On the Select Server Roles page, select the Network Policy And Access Services check box, and then click Next twice. 4. On the Select Role Services page, select the Health Registration Authority check box, click Add Required Role Services in the Add Roles Wizard window that appears, and then click Next. 5. If you have not previously installed the Web Server role, you are prompted with the Choose The Certificate Server To Use With The Health Registration Authority page. Choose the appropriate option, and then click Next. Figure 16-5 shows an example. Figure 16-5 Example of choosing a certificate server 6. On the Choose Authentication Requirements For The Health Registration Authority page, choose either Yes, Require Requestors To Be Authenticated As Members Of A Domain (for authenticated health certificates) or No, Allow Anonymous Requests For Health Certificates (for anonymous certificate support), and then click Next. By enabling anonymous certificates, non–domain-joined computers can receive health certificates. C16624221.fm Page 646 Wednesday, December 5, 2007 5:19 PM Chapter 16: IPsec Enforcement 647 7. On the Choose A Server Authentication Certificate for SSL Encryption page, do one of the following: ❑ Click Choose An Existing Certificate For SSL Encryption, and then select the previously installed computer certificate. ❑ Click Create A Self-Signed Certificate For SSL Encryption if you are using a very small-scale deployment of NAP or for a test lab. This option requires that you also install the self-signed certificate on all your NAP clients. ❑ Click Don’t Use SSL Or Choose A Certificate For SSL Encryption Later if you do not want to use SSL or if the computer certificate that you plan to use for SSL encryption has not yet been installed. HTTPS between NAP clients and HRAs is recommended but not required. Figure 16-6 shows an example. Figure 16-6 Example of choosing a certificate for SSL encryption 8. Click Next. 9. If you have not previously installed the Web Server (IIS) role, you are prompted with the Web Server (IIS) and Select Role Services pages. HRAs require only the default Web Server (IIS) role services. Click Next on both pages. 10. On the Confirm Installation Selections page, verify your configuration selections, and then click Install. C16624221.fm Page 647 Wednesday, December 5, 2007 5:19 PM 648 Windows Server 2008 Networking and Network Access Protection (NAP) Configuring the NAP CAs with HRA Permissions The NAP CAs must be configured with permissions to allow the HRA computers to request certificates. The HRA computers can also be granted permission to manage the CA so that it can automatically remove expired certificates from the NAP CA certificate database. To Configure the NAP CA Permissions 1. In the console tree of the Certification Authority snap-in, right-click the NAP CA name, and then click Properties. 2. Click the Security tab, and then click Add. 3. Click Object Types, select the Computers check box, and then click OK. 4. Under Enter The Object Names To Select, type the names of the HRA computers, and then click OK. 5. Click the name of an HRA computer, or if the NAP CA and HRA are on the same com- puter, select Network Service. Then select the Request Certificates and Issue And Man- age Certificates check boxes. If you are using automatic CA database management, select the Manage CA check box. 6. Click OK. 7. Repeat steps 5 and 6 for all the HRA computers in the list on the Security tab. Note Selecting the Manage CA permissions is optional. If you do not want to grant the HRA computers the ability to manage the NAP CA database, you should use a manual method to periodically remove the entries of the NAP CA database. For more information, see “Ongoing Maintenance” later in this chapter. Configuring the Properties of the HRA Each HRA computer must now be configured with the ordered list of NAP CAs from which it will request health certificates for NAP clients. To Configure an HRA Computer 1. In the console tree of the Health Registration Authority snap-in, click Certification Authority. Depending on your choice on the Choose The Certificate Server To Use With The Health Registration Authority page when installing the Network Access and Policy Services role, a NAP CA might already be listed in the details pane. 2. To add a NAP CA, right-click Certification Authority, and then click Add Certification Authority. 3. Type the name of the NAP CA, or click Browse to select the NAP CA. 4. Click OK. Repeat steps 2 and 3 as needed to add the complete list. C16624221.fm Page 648 Wednesday, December 5, 2007 5:19 PM Chapter 16: IPsec Enforcement 649 5. In the details pane, verify that the ordered list of NAP CAs reflects the correct list for this HRA. Reorder the NAP CAs as needed. 6. In the console tree, right-click Certification Authority, and then click Properties. 7. On the Settings tab, specify the appropriate settings such as the lifetime of the health certificates that are requested by the HRA and whether the HRA is using standalone or enterprise CAs. Repeat this procedure for each HRA computer. Direct from the Source: Configuring the HRA for an Enterprise CA The HRA is set by default to use standalone CA mode, which is not compatible with an enterprise issuing CA. When you use an enterprise CA to issue NAP health certificates, or if you use both enterprise and standalone CAs with a single HRA, you must configure CA properties in HRA to use the enterprise operational mode by selecting Use Enter- prise Certification Authority in the HRA snap-in properties dialog box or by running the netsh nap hra set opmode=1 command. When you enable HRA to use an enterprise CA, you are required to select certificate tem- plates for authenticated and anonymous client requests. The anonymous compliant certificate template must be selected even if you did not choose to enable anonymous certificate requests when installing the HRA. Selecting an anonymous template does not enable anonymous health certificate requests, and it is not required that you select a different template for authenticated and anonymous requests. Unless your deployment includes a requirement that non–domain-joined clients be issued health certificates, you should select the same certificate template for anonymous and authenticated requests. The authenticated template that you select determines which certificate will be issued to compliant clients with a trusted server group configuration set to use the DomainHRA Web site URL. The anonymous template selected determines the certificate issued in response to requests made to the NonDomainHRA URL. Greg Lindsay, Technical Writer Windows Server User Assistance Configuring the NPS Service on the HRA as a RADIUS Proxy If the NAP health policy server is located on a different server than the HRA computer, you must configure the NPS service on the HRA computer as a RADIUS proxy. This allows the HRA computer to act as a RADIUS client and send RADIUS-based requests to a NAP health policy server. C16624221.fm Page 649 Wednesday, December 5, 2007 5:19 PM 650 Windows Server 2008 Networking and Network Access Protection (NAP) To Configure the NPS Service on an HRA Computer as a RADIUS Proxy 1. In the console tree of the Network Policy Server snap-in, expand the RADIUS Clients And Servers node. 2. Right-click Remote RADIUS Server Groups, and then click New. 3. In the New Remote RADIUS Server Group dialog box, in the Group Name box, type the name of the group (for example, NAP Health Policy Servers), and then click Add. 4. On the Address tab, type the DNS FQDN, IPv4 address, or IPv6 address of a NAP health policy server. 5. On the Authentication/Accounting tab, in the Shared Secret and Confirm Shared Secret boxes, type the RADIUS shared secret. Do not change the authentication or accounting ports. 6. On the Load Balancing tab, specify the weight and priority for RADIUS traffic to this RADIUS server and failover and failback settings as needed, and then click OK. 7. In the New Remote RADIUS Server Group dialog box, click Add, and then repeat steps 4–6 for each NAP health policy server that this HRA will use to perform health validation for NAP clients. 8. In the console tree of the Network Policy Server snap-in, expand the Policies node. 9. Right-click Connection Request Policies, and then click New. 10. On the Specify Connection Request Policy Name And Connection Type page, type the name of the connection request policy (such as RADIUS Proxy to NAP Health Policy Servers), in the Type Of Network Access Server drop-down list, select Health Registra- tion Authority, and then click Next. 11. On the Specify Conditions page, click Add. 12. In the Select Condition dialog box, double-click Day And Time Restrictions. 13. In the Time Of Day Constraints dialog box, click Permitted, click OK and then click Next. 14. On the Specify Connection Request Forwarding page, select Forward Requests To The Following Remote RADIUS Server Group For Authentication, and select the remote RADIUS server group created in step 3. Click Accounting, select Forward Accounting Requests To This Remote RADIUS Server Group, select the remote RADIUS server group created in step 3 from the drop-down list, and then click Next. 15. On the Configure Settings page, click Next. 16. On the Completing Connection Request Policy Wizard page, click Finish. Configuring IIS for SSL If you are using HTTPS between NAP clients and HRAs, you must configure IIS on the HRA computer to require SSL encryption for the HRA Web sites. C16624221.fm Page 650 Wednesday, December 5, 2007 5:19 PM Chapter 16: IPsec Enforcement 651 To Configure IIS on an HRA 1. In the console tree of the Internet Information Services (IIS) Manager snap-in, expand the HRA computer name, then Sites, and then Default Web Site. 2. Click DomainHRA, and then in the details pane, double-click SSL Settings. 3. In the details pane, select Require SSL and optionally, Require 128-bit SSL. The require- ment for 128-bit SSL encryption depends on your SSL security requirements. If you do not enable 128-bit SSL, SSL encryption between NAP clients and the HRA will use a 40-bit encryption key. 4. In the Actions pane, click Apply to save the changes. 5. If you have enabled anonymous certificates and want to enable SSL encryption between non–domain-joined NAP clients and the HRA, in the console tree, click NonDomain- HRA, and then in the details pane, double-click SSL Settings. 6. In the details pane, select Require SSL and optionally, Require 128-bit SSL. 7. In the Actions pane, click Apply to save the changes. Configuring NAP Health Policy Servers To configure a NAP health policy server, perform the following tasks: ■ Add the Network Policy and Access Services Role. ■ Install SHVs. ■ Configure RADIUS server settings. ■ Configure health requirement policies for IPsec enforcement. Adding the Network Policy and Access Services Role To add the Network Policy and Access Services role on a NAP health policy server, you must do the following: 1. On the NAP health policy server computer, run Server Manager. 2. Under Roles Summary, click Add Roles. 3. On the Select Server Roles page, select the Network Policy and Access Services check boxes, and then click Next twice. 4. On the Select Role Services page, click Network Policy Server, and then click Next. 5. On the Confirm Installation Selections page, click Install. Repeat this procedure for each NAP health policy server. C16624221.fm Page 651 Wednesday, December 5, 2007 5:19 PM 652 Windows Server 2008 Networking and Network Access Protection (NAP) Installing SHVs The SHVs that you are using must be installed on each NAP health policy server to be included in the health policy evaluation. The Network Policy and Access Services role includes the Windows Security Health Validator SHV to specify the settings of the Windows Security Center on Windows Vista–based and Windows XP–based NAP clients. The exact method of installation of additional SHVs will depend on the SHV vendor and can include downloading the SHV from a vendor Web page or running a setup program from a vendor-supplied CD-ROM. Check with your SHV vendor for information about the method of installation. Configuring RADIUS Server Settings Each NAP health policy server is a RADIUS server, which might need to be configured with the following RADIUS server settings: ■ UDP ports for RADIUS traffic This step is typically needed only if the NAP health policy server is also being used as a RADIUS server for other purposes and other RADIUS clients are using different UDP ports than those defined in the RADIUS RFCs. The default UDP ports used by NAP health policy servers are the same ports as used by the HRAs. ■ RADIUS logging You can configure the NPS service to log incoming requests and accounting information in local files or a Microsoft SQL Server database. For more infor- mation, see Chapter 9. You must configure each NAP health policy server with HRAs as RADIUS clients. To Add a RADIUS Client Corresponding to an HRA 1. In the console tree of the Network Policy Server snap-in, expand RADIUS Clients and Servers, right-click RADIUS Clients, and then click New RADIUS Client. 2. In the New RADIUS Client dialog box, in the Name and Address section, in the Friendly Name box, type a name for the HRA computer. In the Client Address (IP Or DNS) box, type the IPv4 address, IPv6 address, or DNS domain name of the HRA computer. If you type a DNS domain name, click Verify to resolve the name to the correct IP address for the HRA computer. 3. In the Shared Secret section, in the Shared Secret and Confirm Shared Secret boxes, type the shared secret for this combination of NPS server and HRA computer, or click Generate to have the NPS service generate a strong RADIUS shared secret. 4. Select the RADIUS Client Is NAP-Capable check box, and then click OK. Repeat this procedure for every HRA that will be sending health evaluation requests to the NAP health policy server. C16624221.fm Page 652 Wednesday, December 5, 2007 5:19 PM Chapter 16: IPsec Enforcement 653 Configuring Health Requirement Policies for IPsec Enforcement You can create your health requirement policies for IPsec enforcement manually or with the Configure NAP Wizard. Because of the amount of automated configuration being done by the Configure NAP Wizard, this method is recommended and is described in this chapter. To Create a Set of Policies for IPsec Enforcement 1. In the Network Policy Server snap-in, in the console tree, click NPS. 2. In the details pane, under Standard Configuration, in the drop-down list, select Network Access Protection (NAP), and then click Configure NAP. 3. On the Select Network Connection Method For Use With NAP page, under Network Connection Method, select IPsec With Health Registration Authority (HRA); in the Policy Name box, type a name (or use the name created by the wizard); and then click Next. 4. On the Specify NAP Enforcement Servers Running HRA page, click Next. Because we already added the RADIUS clients corresponding to the HRAs of this NAP health policy server, we do not need to add RADIUS clients. 5. On the Configure User Groups and Machine Groups page, configure computer groups as needed, and then click Next. 6. On the Define NAP Health Policy page, on the Name list, select the SHVs that you want to have evaluated for IPsec enforcement, select the Enable Auto-Remediation Of Client Computers check box if needed, and then click Next. 7. On the Completing NAP Enforcement Policy And RADIUS Client Configuration page, click Finish. The NAP Wizard creates the following: ■ A health policy for compliant NAP clients based on the SHVs selected in the NAP Wizard ■ A health policy for noncompliant NAP clients based on the SHVs selected in the NAP Wizard ■ A connection request policy for IPsec enforcement requests ■ A network policy for compliant NAP clients that allows full access ■ A network policy for noncompliant NAP clients that allows limited access Because the default network policy for NAP clients allows only limited access (enforcement mode), we must modify the network policy for noncompliant NAP clients to allow full access for reporting mode. C16624221.fm Page 653 Wednesday, December 5, 2007 5:19 PM 654 Windows Server 2008 Networking and Network Access Protection (NAP) To Configure Reporting Mode 1. In the console tree of the Network Policy Server snap-in, expand Policies, and then click Network Policies. 2. In the contents pane, double-click the network policy for noncompliant NAP clients that was created by the NAP Wizard. For example, if you specified “IPsec Enforcement” as the name on the Select Network Connection Method For Use With NAP page of the NAP Wizard, the network policy for noncompliant NAP clients would have the name “IPsec Enforcement Noncompliant.” 3. Click the Settings tab, and then select NAP Enforcement. 4. In the network policy properties dialog box, in the details pane, select Allow Full Network Access, and then click OK. The next step is to ensure that the SHVs that you are using have the correct settings that reflect your health requirements. To Configure the SHVs for the Required Health Settings 1. In the console tree of the Network Policy Server snap-in, expand Network Access Protec- tion, and then select System Health Validators. 2. In the details pane, under Name, double-click your SHVs, and then configure each SHV with your requirements for system health. For example, double-click Windows Security Health Validator, and then click Config- ure. In the Windows Security Health Validator dialog box, configure system health requirements for Windows Vista–based and Windows XP–based NAP clients. The next step is to ensure that your health policies are configured for the correct SHVs and conditions to reflect your health requirements. To Configure the Health Policy Conditions for the Required Health Settings 1. In the console tree of the Network Policy Server snap-in, expand Policies, and then Health Policies. 2. In the details pane, double-click the health policies for compliant and noncompliant NAP clients, and make changes as needed to the health evaluation conditions and the selected SHVs. Configuring Remediation Servers on the Boundary Network The first task in configuring remediation servers on the boundary network is to identify the set of servers that noncompliant NAP clients must be able to access. As described in Chapter 14, remediation servers can consist of the following types of computers: ■ DHCP servers ■ DNS and WINS servers C16624221.fm Page 654 Wednesday, December 5, 2007 5:19 PM Chapter 16: IPsec Enforcement 655 ■ Active Directory domain controllers ■ Internet proxy servers ■ Troubleshooting URL Web servers ■ Health update servers The next step is to place the computer accounts for the remediation servers in the following: ■ The IPsec exemption group (so that they can obtain a long-lived health certificate) ■ The boundary network OU or security group (so that they can receive boundary network IPsec policy settings) Depending on the SHAs that your NAP clients are using, you might need to configure your health update servers to provide updates or services to noncompliant NAP clients. See the vendors for your SHAs for information about what needs to be installed and configured. Configuring NAP Clients To configure your NAP clients, perform the following tasks: ■ Install SHAs. ■ Configure NAP clients through Group Policy. ■ Configure DNS discovery of HRAs (if needed). ■ Add NAP clients to the secure network. Installing SHAs Windows Vista–based and Windows XP SP3–based NAP clients include the Windows Security Health Agent SHA. If you are using additional SHAs from third-party vendors, you must install them on your NAP clients. The exact method of installation of additional SHAs will depend on the SHA vendor and can include downloading the SHA from a vendor Web page or running a setup program from a vendor-supplied CD-ROM. Check with your SHA vendor for information about the method of installation. On an enterprise network, you can use the following methods: ■ Network management software such as Microsoft Systems Management Server (SMS) or System Center Configuration Manager 2007 to install software across an organization. ■ Login scripts that execute the setup program for the SHA. C16624221.fm Page 655 Wednesday, December 5, 2007 5:19 PM [...]... available both as a stand-alone title and in the Windows Server 2008 Resource Kit (both from Microsoft Press, 2008) C16624221.fm Page 6 79 Wednesday, December 5, 2007 5: 19 PM Chapter 16: IPsec Enforcement 6 79 ■ Windows Server 2008 Technical Library at http://technet .microsoft. com/windowsserver /2008 ■ Windows Server 2008 Help and Support ■ Microsoft Windows Server Active Directory” (http://www .microsoft. com/ad)... ■ Windows Server 2008 Technical Library at http://technet .microsoft. com/windowsserver/ 2008 ■ Windows Server 2008 Help and Support ■ “Public Key Infrastructure” (http://www .microsoft. com/pki) ■ Windows Server 2008 PKI and Certificate Security by Brian Komar (Microsoft Press, 2008) For additional information about Group Policy, see the following: ■ Windows Group Policy Resource Kit: Windows Server 2008. .. 2008 and Windows Vista by Derek Melber, Group Policy MVP, with the Windows Group Policy Team (Microsoft Press, 2008) ■ Windows Server 2008 Technical Library at http://technet .microsoft. com/windowsserver/ 2008 ■ Windows Server 2008 Help and Support ■ Microsoft Windows Server Group Policy” (http://www .microsoft. com/gp) For additional information about RADIUS and NPS, see the following: ■ Chapter 9, “Authentication... Infrastructure” ■ Windows Server 2008 Technical Library at http://technet .microsoft. com/windowsserver/ 2008 ■ Windows Server 2008 Help and Support ■ Network Policy Server (http://www .microsoft. com/nps) For additional information about IPsec, see the following: ■ Chapter 4, Windows Firewall with Advanced Security” ■ Windows Server 2008 Technical Library at http://technet .microsoft. com/windowsserver/ 2008 ■ Windows. .. Enforcement” ■ Windows Server 2008 Technical Library at http://technet .microsoft. com/windowsserver /2008 ■ Windows Server 2008 Help and Support ■ Network Access Protection (http://www .microsoft. com/nap) For additional information about Active Directory, see the following: ■ Windows Server 2008 Active Directory Resource Kit by Stan Reimer, Mike Mulcare, Conan Kezema, and Byron Wright, with the Microsoft. .. 2007 5: 19 PM 662 Windows Server 2008 Networking and Network Access Protection (NAP) Next, create the GPO containing the IPsec policy settings that require IPsec protection for inbound communication attempts and request IPsec protection for outbound communication attempts for computers on the secure network To Configure Secure Network IPsec Policy Settings 1 On a computer running Windows Server 2008 with... Use Server Manager to verify that the Active Directory Certificate Services role is installed ■ Use the Services snap-in to verify that the Active Directory Certificate Services service is started and configured for automatic startup C16624221.fm Page 676 Wednesday, December 5, 2007 5: 19 PM 676 Windows Server 2008 Networking and Network Access Protection (NAP) ■ For a Windows Server 2003–based or Windows. .. in the boundary network ■ Verify the membership of the boundary network security group or OU ■ Verify the membership of the secure network security group or OU C16624221.fm Page 678 Wednesday, December 5, 2007 5: 19 PM 678 Windows Server 2008 Networking and Network Access Protection (NAP) Troubleshooting IPsec Policy To troubleshoot IPsec policy on computers in the boundary and secure networks, do the... trusted server groups C16624221.fm Page 658 Wednesday, December 5, 2007 5: 19 PM 658 Windows Server 2008 Networking and Network Access Protection (NAP) Enabling the Windows Security Center To use Group Policy to enable the Windows Security Center on NAP clients, do the following: 1 In the console tree of the Group Policy Management Editor snap-in, expand Computer Configuration\Administrative Templates \Windows. .. and the certificates that it issues, see Windows Server 2008 Help and Support or the resources on http://www .microsoft. com/pki Managing HRAs You might need to manage HRAs when adding or removing an HRA from your IPsec enforcement deployment C16624221.fm Page 668 Wednesday, December 5, 2007 5: 19 PM 668 Windows Server 2008 Networking and Network Access Protection (NAP) Adding an HRA To add a new HRA to . PM 654 Windows Server 2008 Networking and Network Access Protection (NAP) To Configure Reporting Mode 1. In the console tree of the Network Policy Server snap-in, expand Policies, and then click Network. client and send RADIUS-based requests to a NAP health policy server. C16624221.fm Page 6 49 Wednesday, December 5, 2007 5: 19 PM 650 Windows Server 2008 Networking and Network Access Protection (NAP) To. 646 Windows Server 2008 Networking and Network Access Protection (NAP) To Configure the Network Policy and Access Services Role on an HRA Computer 1. Run Server Manager on the