welcome windows server 2008 安全功能 -nap. network access protection in windows server 2008
TRANSCRIPT
![Page 1: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/1.jpg)
Welcome
Windows Server 2008安全功能 -NAP
![Page 2: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/2.jpg)
Network Access Protection in Windows Server 2008
![Page 3: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/3.jpg)
Overview
Network Policies Access Protection
Enforcement Options
Network Access Protection Scenarios
![Page 4: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/4.jpg)
Lesson 1: Network Policies Access Protection
Why Use Network Access Protection?
Network Protection Services Overview
Network Access Protection Solution
NAP Architecture Overview
Network Layer Protection with NAP
Host Layer Protection with NAP
![Page 5: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/5.jpg)
Why Use Network Access Protection?
Private Network
Unhealthy computer
Healthy computer
![Page 6: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/6.jpg)
NAP vs. Network Access Quarantine Control
Network Access ProtectionNetwork Access Protection
Net work Access Protection Network Access Quarantine Control
Internal, VPN and Remote Access Client
Only VPN and Remote Access Clients
IPSec, 802.1X, DHCP and VPN DHCP and VPN
NAP NPS and Client included in Windows Server 2008 ; NAP client
included in Vista
Installed from Windows Server 2003 Resource Kit
![Page 7: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/7.jpg)
Network Protection Services Overview
Network Policy Server (NPS)
Network Access Protection (NAP) Policy Server
IEEE 802.11 Wireless
IEEE 802.3 Wired
RADIUS Server
RADIUS Proxy
Routing and Remote Access
Remote Access Service Routing
Health Registration Authority (HRA)
![Page 8: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/8.jpg)
Network Access Protection Solution
Polices, Procedures & Awareness
Data
Application
Host
Internal Network
Perimeter
Policy Validation
Network Restriction
Remediation
Ongoing Compliance
![Page 9: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/9.jpg)
NAP Architecture Overview
MS Network Policy Server
Quarantine Server (QS)
Client
Quarantine Agent (QA)
Updates
HealthStatements
NetworkAccess
Requests
System Health Servers
Remediation Servers
HealthCertificate
Network Access Devices and Servers
System Health Agent (SHA)MS and 3rd Parties
System Health Validator
Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)
Health policy
![Page 10: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/10.jpg)
According to policy, the client is not up to date. Quarantine client, request it to update.
Should this client be restricted basedon its health?
Network Layer Protection with NAP
Requesting access. Here’s my new
health status.
MS NPSClient
802.1xSwitch
Remediation Servers
May I have access?Here’s my current health status.
Ongoing policy updates to Network Policy Server
You are given restricted accessuntil fix-up.
Can I have updates?
Here you go.
Restricted Network
Client is granted access to full intranet.
System Health Servers
According to policy, the client is up to date.
Grant access.
![Page 11: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/11.jpg)
Host Layer Protection with NAP
Accessing the networkX
Remediation ServerNPS
HRA
May I have a health certificate? Here’s my SoH.
Client ok?
No. Needs fix-up.
You don’t get a health certificate.Go fix up. I need updates.
Here you go.
Here’s your health certificate.
Yes. Issue health certificate.Client
No Policy
AuthenticationOptional
AuthenticationRequired
Accessing the networkX
Remediation ServerNPS
HRAClient
No Policy
AuthenticationOptional
AuthenticationRequired
![Page 12: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/12.jpg)
Technical Background
NAP Platform ArchitectureNAP Platform Architecture
NAP Enforcement MethodsNAP Enforcement Methods
NAP InfrastructureNAP Infrastructure
NAP Client ArchitectureNAP Client Architecture
NAP Server ArchitectureNAP Server Architecture
Component CommunicationComponent Communication
![Page 13: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/13.jpg)
NAP Infrastructure
Health Policy ValidationHealth Policy Validation
Health Policy ComplianceHealth Policy Compliance
Automatic RemediationAutomatic Remediation
Limited AccessLimited Access
![Page 14: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/14.jpg)
NAP Platform Architecture
![Page 15: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/15.jpg)
Network Access Protection Components (1 of 5)
NAP ClientsIPSec, 802.1X, VPN, DHCP
NAP Servers-determine the System Health of any NAP Client
Windows Server 2008 + Network Policy Server
Remediation action are required for computers that are not compliant
Health Registration Authority
VPN Server
DHCP Server
NAP ClientsIPSec, 802.1X, VPN, DHCP
NAP Servers-determine the System Health of any NAP Client
Windows Server 2008 + Network Policy Server
Remediation action are required for computers that are not compliant
Health Registration Authority
VPN Server
DHCP Server
![Page 16: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/16.jpg)
Network Access Protection Components (2 of 5)
NAP ClientsIPSec, 802.1X, VPN, DHCP
NAP Servers-determine the SH of any NAP Client
Windows Server 2008 + Network Policy Server
Remediation action are required for computers that are not compliant
Health Registration Authority
VPN Server
DHCP Server
NAP ClientsIPSec, 802.1X, VPN, DHCP
NAP Servers-determine the SH of any NAP Client
Windows Server 2008 + Network Policy Server
Remediation action are required for computers that are not compliant
Health Registration Authority
VPN Server
DHCP Server
![Page 17: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/17.jpg)
Network Access Protection Components (3 of 5)
NPS Servers
Replacement for the Internet Authentication Service (IAS)
Windows server 2008 + Validate System Health Policy
Active Directory Directory Service
Group Policy Setting for IPSec
802.1X credential are stored in directory service
NPS Servers
Replacement for the Internet Authentication Service (IAS)
Windows server 2008 + Validate System Health Policy
Active Directory Directory Service
Group Policy Setting for IPSec
802.1X credential are stored in directory service
![Page 18: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/18.jpg)
Network Access Protection Components (4 of 5)
Restricted Network
Separate network segment (logical/physical)
Contains the Remediation Servers
Remediation Server
Bring NAP Client into compliance with health policy
System Health Agent (SHA)
Check for particular health parameter
Send a Statement of Health (SoH) to System Health Validator (SHV)
Restricted Network
Separate network segment (logical/physical)
Contains the Remediation Servers
Remediation Server
Bring NAP Client into compliance with health policy
System Health Agent (SHA)
Check for particular health parameter
Send a Statement of Health (SoH) to System Health Validator (SHV)
![Page 19: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/19.jpg)
Network Access Protection Components (5 of 5)
System Health Validator
Compare the System of Health (SoH) sent from a System Health Agent (SHA)
Statement of Health (SoH)
SoH is response sent by a System Health Agent to a System Health Validator
System Health Validator
Compare the System of Health (SoH) sent from a System Health Agent (SHA)
Statement of Health (SoH)
SoH is response sent by a System Health Agent to a System Health Validator
![Page 20: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/20.jpg)
Misconception
Quarantine network is anything but empty
SMS Server form within Quarantine Mode
For starters, must have a DNS Server
Don’t be a primary DNS server
Finally, the DHCP and IAS server (VPN Quarantine Mode only) must accessable.
Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been update.
Quarantine network is anything but empty
SMS Server form within Quarantine Mode
For starters, must have a DNS Server
Don’t be a primary DNS server
Finally, the DHCP and IAS server (VPN Quarantine Mode only) must accessable.
Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been update.
![Page 21: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/21.jpg)
Lesson 2: Enforcement Options
NAP – Enforcement Options
NAP with DHCP
IPsec-based Communication
NAP with RRAS
![Page 22: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/22.jpg)
NAP – Enforcement Options
![Page 23: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/23.jpg)
NAP with DHCP
NPS ServerDHCP Server
Requesting access. Here’s my new health status.
The client requests and receives updates
I need to Lease an IP address
You are not within the Health Policy requirements
Access Granted. Here is your new IP Address
VPN Server
Client
IEEE 802.1X Devices
Remediation Servers
![Page 24: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/24.jpg)
Demo1: Using Network Access Protection
Exercise 1: Configuring Network Access Protection for DHCP
![Page 25: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/25.jpg)
NAP with RRAS
VPN Server
Remediation Servers
RADIUS MessagesPEAP Messages
Client NPS Server
![Page 26: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/26.jpg)
Demo2: Using Network Access Protection
Exercise 1: Configuring Network Access Protection for VPN
![Page 27: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/27.jpg)
IPSec-based Communication
Secure network
Boundary network
Restricted network
IPsec AuthenticatedUnauthenticated
![Page 28: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/28.jpg)
NAP Enforcement Client
802.1X802.1X
VPNVPN
IPSecIPSec
DHCPDHCP
NPS RADIUSNPS RADIUS
![Page 29: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/29.jpg)
How NAP Works
IPSec EnforcementIPSec Enforcement
IEEE 802.1XIEEE 802.1X
Logical NetworksLogical Networks
Remote Access VPNsRemote Access VPNs
DHCPDHCP
![Page 30: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/30.jpg)
IPSec Enforcement in Logical Networks
![Page 31: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/31.jpg)
Communication Initiation Process with IPSec Enforcement
![Page 32: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/32.jpg)
NAP Client Health Certificate Process
![Page 33: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/33.jpg)
IPSec Enforcement in NAP
![Page 34: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/34.jpg)
IPSec Reviewing
IPSec functionality
OSI 7 Layer - Layer 3
Authentication methods for IPSec
Pre-share Key
Kerberos
Certificate
IPSec functionality
OSI 7 Layer - Layer 3
Authentication methods for IPSec
Pre-share Key
Kerberos
Certificate
![Page 35: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/35.jpg)
Certificate Reviewing
What’s Digital Certificate
What’s Certificate Authority
Digital Certificate for what?
Identity user, computer, service
Digital Certificate for IPSec
What’s Digital Certificate
What’s Certificate Authority
Digital Certificate for what?
Identity user, computer, service
Digital Certificate for IPSec
![Page 36: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/36.jpg)
Demo3: Network Access Protection - IPSec
• Create a Certificate Template for NAP Exemptions
• Enable Certificate AutoEnrollment
• Config NAP to Issue Health Certificates
• Config Health Registration Authority to request Certificate from subordinate CA
• Add System Health Validation Certificate to NPS
• Config GPO to Ensure Client are Configured to Implement NAP
• Verify Network Access Protection
![Page 37: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/37.jpg)
802.1x Authenticated Connections
![Page 38: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/38.jpg)
Lesson 3: Network Access Protection Scenarios
Scenario 1: Roaming Laptops
Scenario 2: Health of Desktop Computers
Scenario 3: Health of Visiting Laptops
Scenario 4: Unmanaged Home Computers
![Page 39: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/39.jpg)
Scenario 1: Roaming Laptops
NAP
![Page 40: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/40.jpg)
Scenario 2: Health of Desktop Computers
Network Policy Server
![Page 41: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/41.jpg)
Scenario 3: Health of Visiting Laptops
Network Policy Server
![Page 42: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/42.jpg)
Scenario 4: Unmanaged Home Computers
![Page 43: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/43.jpg)
NAP Authentication Process Background
Network Access Protection SettingsNetwork Access Protection Settings
Authorization PoliciesAuthorization Policies
Authentication ProcessAuthentication Process
![Page 44: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/44.jpg)
Implementation/Usage Scenarios
Ensuring the Health of Corporate DesktopsEnsuring the Health of Corporate Desktops
Checking the Health and Status of Roaming LaptopsChecking the Health and Status of Roaming Laptops
Determining the Health of Visiting LaptopsDetermining the Health of Visiting Laptops
Verify the Compliance of Home ComputersVerify the Compliance of Home Computers
![Page 45: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/45.jpg)
Summary
Network Access Protection:
Secures Remote Computers before accessing the Network
Has Client and Server Components
Can Use One or More of Several methods for Enforcement
IPSec
802.1X
VPN
DHCP
Provides Support for Third Party Software
Network Access Protection:
Secures Remote Computers before accessing the Network
Has Client and Server Components
Can Use One or More of Several methods for Enforcement
IPSec
802.1X
VPN
DHCP
Provides Support for Third Party Software
![Page 46: Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008](https://reader035.vdocuments.site/reader035/viewer/2022062217/56649f125503460f94c25904/html5/thumbnails/46.jpg)
What Next?
Windows Server 2008 Beta: https://connect.microsoft.com
Home Page: http://www.microsoft.com/windowsserver/longhorn/default.mspx
Webcasts: http://www.microsoft.com/windowsserver/longhorn/webcasts.mspx
Forums: http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17
Network Access Protection• Home Page: http://www.microsoft.com/nap
• Introduction to Network Access Protection: http://go.microsoft.com/fwlink/?LinkId=49884
• Network Access Protection Platform Architecture: http://go.microsoft.com/fwlink/?LinkId=49885
• Network Access Protection Frequently Asked Questions: http://go.microsoft.com/fwlink/?LinkId=49886
• IPSec: http://www.microsoft.com/ipsec
• Server and Domain Isolation: http://www.microsoft.com/technet/network/sdiso/default.mspx