Network Access Protection (NAP)

This new service allows an administrator to set the level of health required for the network and to restrict computers that do not comply with these requirements for communication with the corporate network. For example, NAP can control the updates deployed on the workstation, if the antivirus or antispyware is updated, etc. If a computer is not the safety standards in force in the company, he was confined in a network of detention where he can find services such as allowing it to update its system to revert to a configuration compliant. NAP also ensures compliance of the workstation during the session. For example, if the user disables the integrated firewall, NAP can automatically take action to reactivate it if the security policy requires that the firewall is enabled. Security policies are stored on a server called NPS (Network Policy Server). NAP can be used with Windows Vista clients and Windows XP SP3.

NAP infrastructure includes the following server roles:

o Health policy server – Sometimes referred to as the Network Policy Server (NPS), the health policy server is a Windows Server 2008 server running IAS. Regardless of enforcement method this server evaluates the statements of health submitted by clients and determines what access to allow.

o Health requirement server – Also called the NAP Administration Server, this Windows Server 2008 server

o Health registration authority – This server must be running Windows Server 2008, it receives health certificates from a certificate authority (CA) and forwards them to clients that meet the system health requirements.

o Active Directory Domain Services (AD DS) – AD DS provides user authentication and other services, its required for IPsec, 802.1X, and VPN enforcement.

o Remediation Servers – These are servers accessible to non-compliant clients on the restricted network. NAP clients can access the remediation servers to retrieve operating system updates, up-to-date antivirus signatures, or other resources in order to become compliant with the health requirement policies.

Enforcement For NAP to work, a network component must enforce NAP by either allowing or denying network access.

One or more of the four enforcement methods must be implemented, they can be:

o IPsec – IPsec does not appear on the diagram because when its used as the enforcement method all of the managed systems have IPsec policies that limit access for systems that have not demonstrated compliance.

o 802.1X – These are Ethernet switches or wireless access points that support 802.1X authentication.

o VPN – This is a server running Windows Server 2008 and RRAS, it provides remote access to clients.

o DHCP – This is a server running Windows Server 2008 and the DHCP service.

NAP enforcement methodsNAC solutions can be distinguished according to their methods of enforcing compliance with the health requirements. NAP supports five different enforcement methods: DHCP enforcement, VPN enforcement, 802.1X enforcement, IPSec enforcement, and TS Gateway enforcement. Third-party vendors can extend NAP with their own enforcement methods.

IPsec Connection Security This enforcement type requires clients to perform a NAP healthcheck before they can receive a health certificate. In turn, this health certificate is required for IPsec connection security before the client can connect to IPsec-protected hosts. IPsec enforcement allows you to require health compliance on a per-IP address or a per-TCP/UDP port number basis. For example, you could allow noncompliant computers to connect to a Web server but allow only compliant computers to connect to a file server—even if the two services are running on a single computer.You can also use IPsec connection security to allow healthy computers to communicate onlywith other healthy computers. IPsec enforcement requires a CA running Windows Server2008 Certificate Services and NAP to support health certificates. In production environments, you will need at least two CAs for redundancy. Other public key infrastructures (PKIs) will not work. IPsec enforcement provides a very high level of security, but it can protect only computers that are configured to support IPsec.

802.1X Access Points This enforcement type uses Ethernet switches or wireless accesspoints that support 802.1X authentication. Compliant computers are granted full networkaccess, and noncompliant computers are connected to a remediation network or completelyprevented from connecting to the network. If a computer falls out of compliance after connecting to the 802.1X network, the 802.1X network access device can change the computer’s network access. This provides some assurance of compliance for desktop computers, which might remain connected to the network indefinitely.802.1X enforcement uses one of two methods to control which level of access compliant, noncompliant, and unauthenticated computers receive.

An access control list (ACL) A set of IPv4 or IPv6 packet filters configured on the 802.1X access point. The 802.1X access point applies the ACL to the connection and drops all packets that are not allowed by the ACL. Typically, you apply an ACL to noncompliant computer connections and allow compliant computers to connect without an ACL (thus granting them unlimited network access). ACLs allow you to prevent noncompliant computers from connecting to one another, thus limiting the ability of a worm to spread, even among noncompliant computers.

A virtual local area network A group of ports on the switch that are grouped together to create a separate network. VLANs cannot communicate with one another unless you connect them using a router. VLANs are identified using a VLAN identifier, which must be configured on the switch itself. You can then use NAP to specify in which VLAN the compliant, noncompliant, and unauthenticated computers are placed. When you place noncompliant computers into a VLAN, they can communicate with one another. This can allow a noncompliant computer infected with a worm to attack, and possibly infect, other noncompliant computers. Another disadvantage of using VLANs is that the client’s network configuration must change when transitioning from being a noncompliant NAP client to being a compliant NAP client (for example, if they are able to successfully apply updates). Changing the network configuration during system startup and user logon can cause Group Policy updates or other boot processes to fail.

VPN Server This enforcement type enforces NAP for remote access connections using a

VPN server running Windows Server 2008 and Routing and Remote Access (other VPN servers do not support NAP). With VPN server enforcement enabled, only compliant client computers are granted unlimited network access. The VPN server can apply a set of packet filters to connections for noncompliant computers, limiting their access to a remediation server group that you define. You can also define IPv4 and IPv6 packet filters, exactly as you would when configuring a standard VPN connection.

DHCP Server This enforcement type uses a computer running Windows Server 2008 andthe Dynamic Host Configuration Protocol (DHCP) Server service that provides IP addresses to intranet clients. Only compliant computers receive an IP address that grants full networkaccess; noncompliant computers are granted an IP address with a subnet mask of255.255.255.255 and no default gateway.Additionally, noncompliant hosts receive a list of host routes (routes that direct traffic to a single IP address) for network resources in a remediation server group that you can use to allow the client to apply any updates required to become compliant. This IP configuration prevents noncompliant computers from communicating with network resources other than those you configure as part of a remediation server group.If the health state of a NAP client changes (for example, if Windows Firewall is disabled), theNAP client performs a new health evaluation using a DHCP renewal. This allows clients thatbecome noncompliant after successfully authenticating to the network to be blocked from further network access. If you change the health policy on NAP servers, the changes will not be enforced until the client’s DHCP lease is renewed.Although 802.1X network access devices and VPN servers are capable of disconnectingcomputers from the network and IPsec enforcement can allow connections only from healthy computers, DHCP server enforcement points can be bypassed by an attacker who manually configures an IP address. Nonetheless, DHCP server enforcement can reduce the risk from nonmalicious users who might attempt to connect to your network with a noncompliant computer.

System Health Agents and System Health Validators

System Health Agent (SHA)This is the agent/service on Enforcement Client (EC) that sends health information to Enforcement Server (ES). Windows System Health Validator SHA is included in Windows Vista and Windows XP SP3.

System Health Validator (SHV)The System Health Validator takes the information that has received from the System Health Agent, and compares that information against the health policy that has been defined.

The NAP connection process is as follows:1. The NAP client connects to a network that requires NAP.

2. Each SHA on the NAP client validates its system health and generates an SoH. The NAPclient combines the SoHs from multiple SHAs into a System Statement of Health (SSoH), which includes version information for the NAP client and the set of SoHs for the installed SHAs.

3. The NAP client sends the SSoH to the NAP health policy server through the NAP enforcement point.

4. The NAP health policy server uses its installed SHVs and the health requirement policiesthat you have configured to determine whether the NAP client meets health requirements.Each SHV produces a Statement of Health Response (SoHR), which can contain remediation instructions (such as the version number of an antivirus signature file) if the client doesn’t meet that SHV’s health requirements.

5. The NAP health policy server combines the SoHRs from the multiple SHVs into a SystemStatement of Health Response (SSoHR).

6. The NAP health policy server sends the SSoHR back to the NAP client through the NAPenforcement point. The NAP enforcement point can now connect a compliant computer to the network or connect a noncompliant computer to a remediation network.

7. Each SHA on the NAP client processes the SoHR created by the corresponding SHV. If possible, any noncompliant SHAs can attempt to come into compliance (for example, bydownloading updated antivirus signatures).

8. If any noncompliant SHAs were able to meet the requirements specified by the SHV, the entire process starts over again—hopefully with a successful result.

Installing the Network Policy ServerNAP depends on a Windows Server 2008 NAP health policy server, which acts as a RADIUS server, to evaluate the health of client computers.

1. The first step is to Add the Network Policy Server Role. Open up Server Manager, right click on Roles and click Add Roles.

2. The Add Roles Wizard begins. Click Next.

3. Tick the box next to Network Policy and Access Services and click Next.

4. An introduction to Network Policy and Access Services is displayed. Click Next

5. Please a tick in the box next to Network Policy Server and click Next.

Network Policy Server needs to be selected to use any of the items. Routing and Remote Access Services is for enabling VPN termination, you may install this at the same time if you plan to run this server as a VPN server.

6. The next window displays the conformation of the role to be installed. Click Install.

7. The Role has been installed successfully. Click Close.

This installs the core NPS service, which is sufficient for using the Windows Server 2008 computer as a RADIUS server for 802.1X, VPN, or DHCP enforcement.

Configuring the Network Policy Server to perform NAP enforcement

Open the Network Policy Server from Start, Administrative Tools, Network Policy Server

Getting Started Screen appears here you can use the standard configuration wizard to configure Network Access Protection (NAP)RADIUS server for Dial-Up or VPN ConnectionsRADIUS server for 802.1X Wireless or Wired Connections

Click Configure NAP.

You will see the Select Network Connection Method Used for NAP screen.

In the Network Connection dropdown box, select Dynamic Host Configuration Protocol (DHCP).

In the Policy Name text box, accept the default selection of NAP DHCP. With these settings configured, click Next to display the NAP Enforcement Servers screen if the DHCP Server is running on the local computer this screen can be skipped. On the other hand, the DHCP servers are running on one or more remote servers, they must each have the Network Policy Server role installed and be configured as a RADIUS proxy to forward connection requests to the local NPS server. Click the Add... button and enter the name and

IP address of the remote DHCP Server and either manually enter or generate a shared secret, which will need to be entered into the NAP DHCP policy of any remote DHCP servers. Repeat this process for each remote DHCP server before clicking on Next to proceed to the DHCP Scopes screen:

The Specify DHCP Scopes screen appears.

If network client health is to be enforced for all IP addresses allocated by the DHCP server then no scopes need to be defined here. If, on the other hand, NAP enforcement is only required for certain IP address ranges, define the scopes here.

Click Add, and enter the name of the DHCP scope.

On the next screen enter specific machines and users which are to be granted or denied access. The Machine Groups – simply click Next

NAP Remediation Server settings page allows the addresses of Remediation Servers to be specified, where clients may obtain the necessary updates to reach NAP compliance. It is also possible to specify a web page URL which displays information to the user about how to bring their computers into compliance with the defined policy. When the appropriate information has been entered, click Finish.

The Define NAP Health Policy screen appears. From here you can define the following options:

Enable Auto-Remediation of Client Computers. This option is selected by default.Allow/Deny Full Access to NAP-Ineligible Client Computers. The Deny option is selected by default.

Click Next and Finish

System Health Validators (SHVs).

Create a new SHV to ensure the Windows Firewall is enabled, and antivirus configured.

1. In the Network Policy Server console tree, double-click Network Access Protection, and then click double click System Health Validators or right click and select Properties

On the Windows Security Health Validators Properties, select Configure ...

From here you can configure which components of the Windows Security Health Validator will be used to determine client health, including:

• Windows Firewall enabled• Antivirus application enabled• Antivirus definitions up-to-date• Anti-spyware application enabled (Not available in the Windows XP NAP Agent)• Anti-spyware definitions up-to-date (Not available in the Windows XP NAP Agent)• Automatic Updates enabled• Windows software updates, based on either the Microsoft Web site or a WSUS server

Click OK to close the Windows Security Health Validator dialog box, and then click OK to close the Windows Security Health Validator Properties dialog box.Close the Network Policy Server console.

Creating a System Health Policy

Now that you have configured the System Health Validators, you must configure a System Health Policy. System health policies define the system health validation results. Essentially, this means defining what constitutes a pass or fail when the system health validation is performed on a client.

To configure the Network Policy Server’s health policy navigate through the console tree to NPS (Local) > Policies > Health Policies.

Now, right click on the Health Policies container, and select the New command from the resulting shortcut menu. When you do, Windows will display the Create New Health Policy.

We will then need to tell Windows how to handle compliant or non-compliant systems from the system health perspective. We will configure Windows to use the Security Health Validator policy that pass or fail the defined criteria of having the anti-virus program installed on the system.

In the Create New SHV Template dialog box, under Name, type Fail.Under Template Type, choose Client fails one or more SHV checks.Under Select desired SHVs, select the Windows Security Health Validator Click OK

Configuring Network policies

Network policies evaluate information contained in client authorization requests and grant network access based on the results. Network policy determines whether a client complies with health policy.

NAP enforcement and network restrictionNAP enforcement settings allow you to limit network access of noncompliant clients to a restricted network, to defer restriction to a later date, or to merely observe and log the health status of NAP capable client computers. The following settings are available:

Allow full network access. This is the default setting. Clients that match the policyconditions are deemed compliant with network health requirements, and are grantedunrestricted access to the network if the connection request is authenticated and authorized.The health compliance status of NAP-capable client computers is logged.

Allow limited access. Client computers that match the policy conditions are deemednoncompliant with network health requirements, and are placed on the restricted network.

Allow full network access for a limited time. Clients that match the policy conditions aretemporarily granted full network access. NAP enforcement is delayed until the specified date and time.

Here we will assign the PASS policy that the systems are granted full access, and for the FAIL policy, they are granted access to the remediation network to install the anti-virus. The wizard to add the policies in the MS-NAP implementation is straightforward.

Open the node Network Policies in Network Policy Server management console

Open properties of the policy FAIL Go to the tab Settings and select NAP Enforcement in the section Network Access Protection

Enable the option Allow limited access and click Configure.Choose the created Kaspersky Administration Kit Group in the drop-down menu.Enter a web page URL containing troubleshooting instructions. It may be an application installation guide, an instruction on launching a scan or update. In the example there is a link to Kaspersky Anti-Virus 6.0 for Windows Workstations MP4 installer on Administration Server.

Click OK twice

Health validation

If a client computer fails to meet policy requirements (e.g. the requirement Anti-Virus application installed enabled in the policy is unfulfilled), an exclamation icon will appear in the system tray next to system clock and a message will be displayed informing that Your computer is not compliant with the requirements of this network. Network access will be limited for this PC.

Click More Information

Install Kaspersky Anti-Virus 6.0 for Windows Workstations MP4 and reboot the PC.

After passing all checks in compliance with Kaspersky settings (e.g. Anti-Virus application installed) a green icon will appear in the system tray next to system clock and a message will be displayed informing that the computer is compliant with the requirements of this network. The client receives standard network settings and unlimited network access.

Configuring DHCP Server NAP Settings

The NAP settings associated with a DHCP sever can be configured either on a server-wide (global) or per-scope basis.

To configure global settings for a DHCP server

Open the DHCP console Start > All Programs > Administration Tools > DHCP and unfold the tree in the left panel for the required DHCP server. Right click on IPv4, select Properties and select the Network Access Protection tab

Within this screen, Network Access Protection settings on all scopes can be enabled or disabled using the two buttons. Further, the default behavior of the DHCP server when the Network Policy Server (NPS) is unreachable may also be configured. In Full Access mode, all DHCP clients are given full and unrestricted access to the network (essentially behaving as though NAP enforcement is not implemented). Restricted Access allows clients to access resources only on the server to which they are connected. The rest of the network is off limits until the NPS server comes back online. Finally, Drop Client Packet prevents all client access to the network.

Configuring NAP Settings for Scopes

The NAP settings for specific scopes can also be accessed and modified using the DHCP console. Once the DHCP console is running (as outlined in the preceding section), unfold the required server from the left hand panel then unfold the IPv4 entry so that currently configured scopes are listed. Right click on the required scope entry, select Properties and click on the Network Access Protection tab:

Exams Questions

QuestionYou are an Enterprise administrator for Certkiller.com. The company consists of a head office and a branch office, which are connected through VPN connectivity. The corporate network of the company consists of servers that run Windows Server2008.The head office of the company has Network Access Protection (NAP) enforcement deployed for VPNs. Which of the following options would you choose to ensure that the health of all clients can be monitored and reported?

A. Create a Group Policy object (GPO) and link it to the domain and then set the Require trusted path for credential entry option to Enabled.B. Create a Group Policy object (GPO) and link it to the domain and then enable theSecurity Center.C. Create a Group Policy object (GPO) and link it to the Domain Controllers organizational unit (OU) and then enable the Security Center.D. Create a Group Policy object (GPO) and link it to the Domain Controllers organizational unit (OU) and then enabled the Require trusted path for credential entry option.

Answer B

Explanation:The NAP replaces Network Access Quarantine Control (NAQC) in Windows Server2003, which provided the ability to restrict access to a network for dial-up and virtual private network (VPN) clients. The solution was restricted to dial-up/VPN clients only. NAP improves on this functionality by additionally restricting clients that connect to a network directly, either wirelessly or physically using the Security Center. NAP restricts clients using the following

enforcement methods: IP security (IPsec), 802.1x, Dynamic Host Configuration Protocol (DHCP) and VPN.However, to enable NAP on all the clients in your domain, you should create a group policy and link it to a domain and then enable the Security Center.

QuestionYou are an Enterprise administrator for Certkiller.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the corporate network run Windows Server 2008.The company has Active Directory Certificate Services (AD CS) and Network Access Protection (NAP) deployed on the network. Which of the following options would you choose to configure the wireless network to accept smart cards?

A. Use WEP, 802.1X authentication, PEAP, and MSCHAP v2. B. Use WPA2, PEAP, and MSCHAP v2.C. Use WPA2, 802.1X authentication and EAP-TLS.D. Use WPA, PEAP, and MSCHAP v2 and also require strong user passwords. E. None of the above

Answer C

Explanation:To configure the wireless network to accept smart cards, you need to use WPA2, 802.1Xauthentication and EAP-TLS.

The use of smart cards for user authentication is the strongest form of authentication in the Windows Server2003 family. For remote access connections, you must use the Extensible Authentication Protocol (EAP) with the Smart card or other certificate (TLS) EAP type, also known as EAP-Transport Level Security (EAP-TLS).

QuestionYou are an enterprise administrator for Certkiller. The company has a head office and 15 Branch offices. The corporate network of the company consists of a single Active Directory domain, where all servers run Windows Server 2008. The Branch office computers use VPN connections to connect to the head office computers. Which of the following options would you choose to ensure that users cannot access the VPN server remotely from 21:00 to 06:00?

A. Create a network policy for VPN connections and configure the Day and time restrictions accordingly.B. Configure the Logon Hours for the default domain policy by enabling the Force logoff when logon hours expire option.C. Create a network policy for VPN connections and apply an IP filter to deny access to the corporate network.D. Configure the Logon hours for all user objects by specifying only the VPN server on the Computer restrictions option.

Answer A

Explanation:To ensure that users cannot access the VPN server remotely from 21:00 to 06:00, you need to create a network policy for VPN connections and then modify the Day and time restrictions. The network policy provides a policy conditions called"Allow full network access for a limited time", which allow clients to temporarily access full network. However, the NAP enforcement is delayed until the specified date and time.

QuestionCertkiller.com employs RRAS (Routing and Remote Access services) for remote user access. The remote users are not domain members. You find out that a virus is infecting internal member computer through a remote user computer. The remote user computer is the source of that virus that is infecting the domain members' computers. What should you do to protect the corporate network against viruses and malicious programs that are transmitted from a remote computer?

A. Create a network health policy that requires an anti-virus software running and updates itself frequentlyB. Install file-level anti-virus software on RRAS server and configure it to update automaticallyC. Put all remote users in an organizational unit and install antivirus software by creatinga GPO. D. Create a network health policy that requires an anti-spyware to run on the RRAS server. Ensure that it automatically updates itself.E. All of the above

Answer A

Explanation

You need to configure a network health policy that requires anti-virus software to execute and check all the incoming files from the remote computer. In order to keep the anti-virus database up to date, you need to check the automatic updates option so you don't have to do the manual updates.

QuestionAs a network administrator for Certkiller, you have installed Windows 2008 Server on all the server computers of the company and Windows XP Professional Service Pack 2 and Windows Vista on all the client computers in the company.The company now wants all the computers to join the corporate network but wants to restrict non-compliant computers from communicating on the network. The computers must meet the system health requirements as stated in the corporate security policy. Which of the following roles service you should install to achieve this?

A. Network policy and Access services B. Routing and Remote Access services C. Terminal Services licensingD. Terminal Services gatewayE. None of the above

Answer A

Explanation:The Network Access Protection (NAP) is a component of the Network policy and Access services that allow protecting network resources by enforcing compliance with system health requirements.

QuestionCertkiller.com has a corporate network. The Network Access Protection (NAP) is configured on default settings for the network. You install an application on a client's computer that runs Windows Vista Business. The basic job of the application is to connect to a remote database server. When you install the application on the client's computer, the application fails. You start troubleshooting the problem and discover that the anti-spyware software installed on the client's computer is not compatible with the new application. Even after disabling theanti-spyware software, the application continues to fail. What should you do to ensure that the application works normally on every client's computer?

A. Turn off the anti-spyware setting "up to date" on the Windows Security HealthValidator windowB. Turn off the Anti-spyware setting "Application is on" on the Windows Security HealthValidator windowC. Configure the Windows Defender service on client's computer to a manual startup. Disable the Windows Defender service and then enable it again after putting it on manual startup.D. Configure the system health agent failure option through Error code resolution to healthyE. All of the above

Answer B

Explanation

To ensure that the application works normally on every client computer, you should choose the option B. You have to turn the anti-spyware settings "application is on" off on the Windows Security Health Validator window. The Windows Security HealthValidator keeps all the important application on to ensure that the critical applications areworking. Since the Anti-spyware is not compatible with the application you are installing on client computers, you should turn it off in the Windows Security Health Validator Window.You should not choose option A because it will update the anti-spyware software. Similarly, the Windows Defender Service is also not an option for this scenario because it will not hinder with the new application and there is no use starting it manually and disabling it.

QuestionCertkiller.com has Network Access Protection (NAP) and Active DirectoryCertificate Services (AD CS) running on their Active Directory domain.New laptops with Windows Vista installed, are required to be connected to the wireless network and join the Active Directory domain. These portable computers will be using PEAP-MS-CHAP V2 for authentication.What should you do to ensure that the laptops could join the domain when users restart them?

A. Run the netsh wlan export profile command on all laptops.B. Configure each laptop computer with a Bootstrap wireless profileC. Configure a group policy with the use of Windows WLAN Auto Config service for clients policy setting enabledD. Configure a group policy with the use of Windows WLAN Auto Config service for clients policy setting disabledE. None of the above

Answer B

Explanation:To ensure that the Wireless client laptops running Windows Vista usingPEAP-MS-CHAP V2 for authentication could join the AD domain when users restart them, you need to configure each laptop computer with a Bootstrap wireless profile, which is a temporary wireless profile that can be used to obtain connectivity to a secure wireless network. Once connected to the wireless network, the wireless client user can join the computer to the domain after providing security credentials for an authentication by a RADIUS server.These credentials may include a username and password (for Protected EAP[PEAP]-Microsoft Challenge Handshake Authentication Protocol version 2 [MS-CHAPv2]) or certificates (for EAP- TLS).

QuestionThe corporate network of Certkiller consists of servers that have Active Directory Certificate Services (AD CS) and Network Access Protection (NAP) deployed on them.A number of mobile users connect to the network wirelessly. You have NAP policies configured for these users. Which of the following options would you choose to ensure that NAP policies are enforced on portable computers that use a wireless connection to access the network? What should you do?

A. Use MS-CHAP v2 authentication on all portable computers.B. Disable the Prevent connections to infrastructure networks option in the wirelessGroup Policy settings in the Group Policy Management Console.

C. Use 802.1X authentication to on all access points.D. Enable the Prevent connections to infrastructure networks option in the wirelessGroup Policy settings in the Group Policy Management Console. E. None of the above

Answer C

Explanation:To ensure that NAP policies are enforced on portable computers that use a wireless connection to access the network, you need to configure all access points to use 802.1X authentication.802.1X enforcement enforce health policy requirements every time a computer attempts an 802.1X-authenticated network connection. 802.1X enforcement also actively monitor the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant.

QuestionThe corporate network of Certkiller contains a Windows Server 2008 that has theNetwork Policy Server (NPS) service role installed.Which of the following options would you choose to allow VPN access to only the members of a global group named Certkiller Staff to the network?

A. Create a new network policy, define a group-based condition for Certkiller Staff, Set the access permission to Access Granted, and set the processing order of the policy to 1. B. Add Certkiller Staff to the RAS and IAS Servers group.C. Create a new network policy, define a group-based condition for Certkiller Staff, Set the access permission to Access Granted, and set the processing order of the policy to 3. D. Add Certkiller Staff to the Network Configuration Operators group.E. None of the above

Answer A

Explanation:To allow access to only the members of Certkiller Staff VPN to the network, you need to create a new network policy and define a group-based condition for Certkiller Staff then set the access permission of the policy to Access Granted and set the processing order of the policy to 1.You can create different compliance standards for users based on role, department, geography, and so on and then create network policies based on them. For the same reason you can create a policy of Certkiller Staff VPN group and set the processing order of the policy to one. This is because the policies are evaluated from top to bottom and processing stops once a policy rule is matched. First is the Compliant FullAccess policy which states that machines that pass all SHV checks are granted unrestricted network access should be listed. Having this policy listed first reduces processing load and time on the NPS.The next policy used should be for Non-compliant or Restricted machines and the third policy is for backward compatibility of computers.

QuestionOn the corporate network of Certkiller the Network Access Protection (NAP) is configured. You have configured the 802.1x authentication to all the access points that will be used to access to the corporate network using wireless computers to ensure secure wireless access.

Which of the following options would you choose to ensure that all the client computers that try to access the corporate network are evaluated by NAP?

A. Configure a Connection Request Policy having EAP-TLS as the only available authentication method.B. Configure all access points as RADIUS clients to the Remediation Servers.C. Configure a Network Policy having the Remote Access Server as the only available authentication method.D. Configure all access points as RADIUS clients to the Network Policy Server (NPS). E. None of the above

Answer AExplanation:To ensure that all the client computers that try to access the corporate network are evaluated by NAP, you need to create a Connection Request Policy that specifies EAP-TLS as the only available authentication method.By default, Windows Server2008 supports the EAP methods: PEAP-MS-CHAPv2, EAPwith Transport Layer Security (TLS) or EAP-TLS, and PEAP-TLS.The connection request policy can impose connection requirements. For example, for802.1X and VPN enforcement, the connection request policy requires the use of a Protected Extensible Authentication Protocol (PEAP)-based authentication method. If the connecting client does not use PEAP, the connection request is rejected.

Question

Certkiller.com has a server with Active Directory Domain and an Enterprise Root Certificate authority installed. To protect the VPN connection, Certkiller.com has decided to employ Network Access Protection (NAP) on the server.You are given the task for implementing the NAP on the server. You build two servers named Certkiller NPS and Certkiller VPN. You configure the functions on both servers as shown in the exhibit.What should you do to ensure that the system health policy is implemented on all client computers attempting to connect to the VPN server?

A. Configure a NAP role on an Enterprise Certificate ServerB. Reconfigure Certkiller NPS as a Radius ClientC. Configure a NAP role and add it to a domain controllerD. Reconfigure Certkiller VPN as a Radius clientE. None of the above

Answer D

Explanation:To ensure that the system health policy is implemented on all client computers thatattempt a VPN connection, you should reconfigure Certkiller VPN as a Radius client. The Certkiller VPN will authenticate and authorize the client VPN connections and won't allow those clients who don't have a system health policy added on their machines.

QuestionYou are an enterprise administrator for Certkiller. The company has a head office and three Branch offices. Besides this the company has many remote users that need to connect to the corporate network. The company has divided these remote users into two global groups, GroupA and GroupB.To secure the corporate network, you installed the Network Policy Server (NPS) service role on a server that runs Windows Server 2008. You want to allow VPN access to the corporate network to GroupA.Which of the following options would you choose to accomplish this task?

A. Add GroupA to the RAS and IAS Servers group.B. Add GroupA to the Network Configuration Operators group.C. Create a new network policy having a group-based condition for GroupA, set the access permission of the policy to Access granted and set the processing order of the policy to 3.D. Create a new network policy having a group-based condition for GroupA, set the access permission of the policy to Access granted and set the processing order of the policy to 1.

Answer D

Explanation:Network Policy Server (NPS) in WindowsServer2008 allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization.To allow only members of a global group named GroupA VPN access to the network,you need to create a new network policy and define a group-based condition for GroupA. Set the access permission of the policy to Access granted. Set the processing order of the policy to 1Processing order specifies the numeric position of this policy in the list of policies configured on the NPS. Policies highest in the list (for example, at first position) are processed by NPS first. Policies added at positions above other policies cause the positions of the other policies to drop in the list by one position. If processing order is not specified, the policy is added at the end of the list.

QuestionYou are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of an Active directory domain called Certkiller.com. The domain runs Windows Server 2008 on all servers and Windows Vista on all client computers.The corporate network uses Network Access Protection (NAP) to enforce policies on client computers that connect to the network. According to the Company's policy, only the client computers that have updates labeled Important and Critical installed on them can access network resources. A Group Policy is used to configure client computers to obtain updates from WSUS.Which of the following options would you choose to ensure that client computers meet the company's policy requirement?

A. Disconnect the remote connection until the required updates are installed. B. Enable the Security Center on each client.C. Enable automatic updates on each client.D. Quarantine clients that do not have all available security updates installed.

Answer D

Explanation:To ensure that client computers meet the company policy requirement, you need toQuarantine clients that do not have all available security updates installed.Using the NAP Client Configuration tool, you can configure separate enforcement policies for remote access clients. Administrators can use NAP to enforce health requirements for all computers that are connected to an organization's private network, regardless of how those computers are connected to the network. You can use NAP to improve the security of your private network by ensuring that the latest updates are installed before users connect to your private network. If a client computer does not meet the health requirements, you can prevent the computer from connecting to your privatenetwork. To enforce remote access NAP, open NAP Client Configuration tool, double-click Remote Access Quarantine Enforcement Client, and then select the Enable This Enforcement Client check box.

QuestionOn the corporate network of Certkiller, Network Access Protection is configured to limit the network access of computers based on predefined health requirements. Company's security policy enforces data confidentiality while the data is in transit between servers and client computers.As a network administrator of the company, you want to ensure that personal portable computers that don't comply with policy requirements must be prohibited from accessing company resources. What should you do to achieve this?

A. Create an IPSec enforcement network policyB. Create and 802.1X enforcement network policyC. Create a wired network (IEEE 802.3) group policyD. Create an extensible authentication protocol enforcement policyE. None of the above

Answer A

Explanation:Because the scenario suggests the configuration of the security policy on the network, you need to create an IPSec enforcement network policy as a Network Access Protection Mode to ensure that personal portable computers that don't comply with policy requirements are prohibited from accessing company resources.IPSec enforcement network policy authenticates NAP clients when they initiateIPsec-secured communications with other NAP clients.802.1x-based enforcement network policy and the wired network (IEEE 802.3) group policy cannot be used because they are switch-based enforcement. Every time a client activates a switch port, it's placed in a limited-access VLAN until it authenticates to aNAC server and passes assessment, which is not required here. Extensible authentication protocol enforcement policy is not required here because it is used to allow EAP method vendors to easily develop and install new EAP methods on both client computers and NPS servers.

QuestionYou are a systems administrator for an enterprise company. You are currently configuring NAP enforcement in a lab environment. You need to create a network policy that prevents noncompliant computers from connecting to the network. How should you configure the network policy properties?

A. In the Settings tab, Set NAP Enforcement to Allow Limited Access.B. In the Overview tab set Access Permission to Deny AccessC. In the Constraints tab set the Session Timeout to 0D. In the Settings tab create an IPfilter that drops all traffic

Answer A

Explanation Setting NAP Enforcement to allow Limited Access limits the client to the remediation servers you list. If you do not list any remediation servers, clients will be completely denied network access.