venkatesh gopalakrishnan group program manager microsoft corporation wsv305 lambert green...
TRANSCRIPT
![Page 1: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/1.jpg)
![Page 2: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/2.jpg)
Deploying NAP: Best Practices and Lessons Learned
Venkatesh GopalakrishnanGroup Program ManagerMicrosoft Corporation WSV305
Lambert GreenDevelopment LeadMicrosoft Corporation
![Page 3: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/3.jpg)
Agenda
Background: Network Access ProtectionUpdates in Windows® 7 & Windows® Server 2008 R2NAP Deployment BasicsBest Practices & Common MistakesConclusions & Takeaways
![Page 4: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/4.jpg)
Today’s Network ChallengesToday’s networks are highly connected
Multiple access methodsUsers with different access rightsNumerous devices used for access
New ChallengesIncreased workforce mobilityIncreased exposure to malwareNeed to control guest, vendor access
Key StrategiesValidate user identity and system healthAggressively update out-of-compliance systemsContinuously monitor compliance state of the network
The SolutionNAP: comprehensive, policy-based authentication and compliance platform
Intranet
InternetCustomers
Partners
Remote Employees
![Page 5: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/5.jpg)
Network Access Protection
Network Access Control solution thatValidates whether computers meet health policiesMonitors compliance state of computers on the networkCan Limit access for noncompliant computersAutomatically remediates noncompliant computers
Customers
Partners
Remote Employees
Intranet
Internet
Solution HighlightsAvailable on multiple platformsWorks with most devicesSupports multiple antivirus solutions Highly extensible
![Page 6: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/6.jpg)
Several Enforcement Options to choose from!
VPN
DHCP
Terminal Services Gateway
802.1x
IPsec
Direct Access
Network Access Protection
Multiple Enforcement ModesReporting mode
Used for monitoring level of compliance
Deferred enforcement modeFull access up to a specified date/time
Full enforcement mode
Available on multiple platformsWindows® 7, Vista & XP SP3Windows® Server 2008 & 2008 R2Other OS’s via partner ecosystem
![Page 7: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/7.jpg)
TerminologyNPS (Network Policy Server)
AAA server role in Windows® Server 2008 used to validate user identity and system health
HRA (Health Registration Authority)Server role that provides compliant clients with an X.509 certificate to make health claims
SHA (System Health Agent)Plug-in component that monitors health status on the client to generate a health claim
SHV (System Health Validator)Plug-in server component interprets health claim from the corresponding SHA
SoH (Statement of Health)Protocol used to communicate health claims between SHAs and SHVs
QEC/EC (Quarantine Enforcement Client)Component that manages quarantine behavior on the client
NAS (Network Access Server)Any server or device used to gain access to a network – e.g. 802.1x switch, VPN, TSG, DHCP server, HRA
![Page 8: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/8.jpg)
NAP - How It Works
Access requested
Authentication data and health state sent to NPS (RADIUS)
NPS validates against access and health policy
If compliant, access granted
If not compliant, restricted network access and remediation
Microsoft NPS
Corporate Network
Directory and Health Serverse.g.., Active Directory, Patch, AV
NAS DHCP, VPN, HRA,
TSG, 802.1x switch
RestrictedNetwork
Remediation Serverse.g., Patch
Not policy compliant
Policy compliant
1
3
5
4
1
3
4
5
2
2
![Page 9: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/9.jpg)
NAP Architecture
HealthData
Network Access Messages
Network Access Devices andEnforcement Servers (ES)
Updates
Remediation Servers
Health Policy
System Health Servers
NAP ClientSystem Health Agents (SHA)
SHA-AV
SHA-Patch
SHA-WSC
NAP Agent
Enforcement Clients (EC)IPsec802.1x
DHCPVPNEC-x
Network Policy Server (NPS)
System Health Validators (SHV)SHV-AV
SHV-Patch
SHV-WSC
NAP Server
802.1x SwitchES-x
HRAVPN SrvDHCP srv…
SoH Packets
![Page 10: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/10.jpg)
New in Windows® 7 & Server 2008 R2
Enhancements & New Features:NPS Server configuration templatesMulti-SHV configurationMigration from Windows Server 2003 IASNAP client user interface enhancementsAccounting Wizard
New NAP ScenariosNAP for Direct AccessTerminal Services Gateway RemediationOff-network health assessment & remediationForefront Client Security SHA/SHV
![Page 11: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/11.jpg)
Off-network Health AssessmentRecording compliance for roaming clients
NAP can be used to assess compliance of your off-network clientsClients connect to an internet facing health validation server which records health assessmentOut of compliance clients can be remediated before they return to the intranetAdvantages
Record compliance for all your assetsRemediate clients anywhereScalable solutionEasy to deploy
NPS
Corporate Resources
Policy Servers
HRA
Remediation Serverse.g., Patch
Not policy compliant
![Page 12: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/12.jpg)
NAP Deployment Basics
![Page 13: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/13.jpg)
Planning BasicsIdentify your NAP deployment goalsInventory the various methods computers access your networkDetermine which enforcement options are right for youUnderstand what “system health” means for your networkDetermine your monitoring or compliance reporting needsDetermine if exemptions will be requiredCreate a testing and rollout strategyCreate an availability and scale out strategy
![Page 14: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/14.jpg)
Potential NAP Deployment Goals
Manage risk within a networkTrack compliance with security policiesKeep computers updatedProtect roaming laptop computersProtect corporate assets from unmanaged computersProtection for corporate HQ networkProtection for branch officesProtection for remote access
![Page 15: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/15.jpg)
Enforcement Options
Enforcement Option Healthy Client Unhealthy Client
No Enforcement Compliance state recorded State recordedAuto remediation possible
IPSec Can communicate with any trusted peer
Connection requests rejected by healthy peers
802.1x Full access Restricted VLAN
Terminal Services Gateway Full application access Access restricted to limited set of resources for remediation
VPN Full access IP filters to remediation servers enforced by VPN server
DHCP Routable IP configuration Restricted route to remediation servers only
Direct Access Direct tunnel to intranet hosts
Connection rejected, new health certificate required
![Page 16: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/16.jpg)
Enforcement OptionsNo Enforcement or Reporting Mode
Enables monitoring of the compliance state of your networkUseful for organizations that don’t want to take the productivity hit of full enforcementAllows for “commercially reasonable compliance”Can turn on deferred or full enforcement based on current risk
IPSec EnforcementHealth Certificate (X.509) is provided to clients that comply with policy (HC is required for all IPSec connections)Works with existing network infrastructureProtects roaming computersRequires PKI infrastructure
![Page 17: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/17.jpg)
Enforcement Options802.1x Enforcement
Provides strong network restrictions for devices accessing the networkApplies to both wireless and wired connectionsClients are restricted using IP filters or VLAN identifierWorks with any 802.1x compliant switch or wireless access point
Terminal Services Gateway Ensures health policy is met before allowing terminal services gateway connections to corporate applications & serversDoes not require specific network devices
VPN EnforcementProtects the network from unhealthy computers remotely connecting to the networkNPS instructs VPN server to apply IP filters to restrict unhealthy clientsSimple to deploy – no specific network gear required
![Page 18: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/18.jpg)
Enforcement Options
DHCPValidates client health when IP address is requestedUnhealthy clients can only route to the default gatewayRequires configuration of static route to remediation serverVery easy to deploy – great for pilot NAP deployment
Direct AccessEnables remote computers to connect directly to hosts in the intranet without using a VPNConnections use IPSec tunnelsClient health is validated before IPSec connection is establishedSame requirements as IPSec Enforcement
![Page 19: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/19.jpg)
Health Policy OptionsWindows Security Center
Firewall on/offAnti-virus installed & up to dateAnti-spyware installed & up to dateAutomatic updates enabled
System Center Configuration ManagerRequired software patches are installedAutomatic patch installation to remediate
Forefront Client SecurityMalware signature definition files up to dateState of system services
Third party SHA/SHVsMajor anti-virus vendorsExtensible health validation rules (registry, WMI, etc.)
![Page 20: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/20.jpg)
NAP Deployment ExampleLambert GreenDevelopment LeadMicrosoft Corporation
demo
![Page 21: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/21.jpg)
Testing & RolloutLab Testing
Use step by step guides to create a proof of concept deploymentRecommend trying DHCP enforcement in the lab
Pilot DeploymentsRoll out to a controlled set of users (e.g. Admins) before each deployment phase
Phased Production RolloutReporting Mode – measure complianceDeferred Enforcement – give users a chance
Full Enforcement – forced quarantine and automatic remediation
![Page 22: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/22.jpg)
Best PracticesReporting Mode
Sufficient for many organizationsMost users will bring their systems into compliance after some encouragement
Availability & FailoverRecommend a minimum of two servers for each roleUse NPS internal load balancing capabilityLoad balance HRA servers behind a VIP
Scale-outConsider performance, server roles, access profile and locationRecommend at least one NPS server in each branch location
Remediating clients on the InternetUse Internet facing HRA to monitor and remediate domain joined clients that are currently off-network
![Page 23: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/23.jpg)
Common Mistakes
HRA not configured to accept SSL requestsNetwork connectivity between serversInsufficient network policies definedNo health policy is definedIncorrect certificate lifetimeAccounting port ACLs not openNAP client is not enabled via Group Policy
![Page 24: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/24.jpg)
Takeaways10 things you should know about NAP
NAP server roles are built into Windows® Server 2008 & 2008 R2The NAP client is built into Windows® XP Service Pack 3, Windows® Vista and Windows® 7The NAP “agent” isn’t really an agent; it is a service that can be managed via Group PolicyMicrosoft has over 100 partners that integrate or interoperate with the NAP platformNAP clients for Linux and Macintosh are available from our partnersThere are no additional licenses required to deploy NAPNAP is deployed on nearly 300,000 desktops at MicrosoftSeveral enforcement methods can be used with NAP – 802.1x, IPSec, DHCP, TS Gateway, VPN, Direct-AccessNo Enforcement or Reporting Mode is sufficient for many organizationsNAP can be used to assess and remediate clients even when they are not connected to your network!
![Page 25: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/25.jpg)
ConclusionsWhy deploy NAP?
Software solution – no new gear to purchase
Scalable – Microsoft uses it on hundreds of thousands of desktopsWidely availableExtensible platformLarge partner ecosystem – several 3rd party extensions
Microsoft NPS
Corporate Network
Policy Serverse.g.., Patch, AV
DCHP, VPNSwitch/Router
RestrictedNetwork
Remediation Serverse.g., Patch
Not policy compliant
Policy compliantBenefits
Enhanced securitySimplified health managementLower riskGreater interoperabilityInvestment protection and increased ROI
![Page 26: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/26.jpg)
NAP Resources
NAP Website: http://www.microsoft.com/nap
NAP Blog: http://blogs.technet.com/nap
TechNet: http://technet.microsoft.com/en-us/network/bb545879.aspx
![Page 27: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/27.jpg)
question & answer
![Page 28: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/28.jpg)
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
![Page 29: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/29.jpg)
Related Content
DPR305 Practical Regulatory Compliance and Risk Management
SIA02-INT Advanced Deployment of Microsoft Forefront Code Name "Stirling"
SIA205 The Risks and Rewards of Security, Identity, and Access Integration
PRC06 Microsoft System Center Configuration Manager 2007: Setup, Deployment, and Administration
![Page 30: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/30.jpg)
Windows Server ResourcesMake sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter
Learn More about Windows Server 2008 R2: www.microsoft.com/WindowsServer2008R2
Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies•Over 15 booths and experts from Microsoft and our partners
![Page 31: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/31.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 32: Venkatesh Gopalakrishnan Group Program Manager Microsoft Corporation WSV305 Lambert Green Development Lead Microsoft Corporation](https://reader035.vdocuments.site/reader035/viewer/2022062307/551affeb5503465e7d8b56c1/html5/thumbnails/32.jpg)
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.