NAPVPNStepbyStep.docx
- 文档编号:10635290
- 上传时间:2023-02-22
- 格式:DOCX
- 页数:53
- 大小:224.28KB
NAPVPNStepbyStep.docx
《NAPVPNStepbyStep.docx》由会员分享,可在线阅读,更多相关《NAPVPNStepbyStep.docx(53页珍藏版)》请在冰豆网上搜索。
NAPVPNStepbyStep
StepByStepGuide:
DemonstrateVPNNAPEnforcementinaTestLab
MicrosoftCorporation
Published:
February2008
Abstract
NetworkAccessProtection(NAP)isanewpolicyenforcementtechnologyinWindows Vista®,Windows Server® 2008,andWindowsXPwithServicePack 3(SP3).NAPprovidescomponentsandanapplicationprogramminginterface(API)setthathelpadministratorsenforcecompliancewithhealthrequirementsfornetworkaccessandcommunication.ThispapercontainsanintroductiontoNAPandinstructionsforsettingupatestlabtodeployNAPwiththeVPNenforcementmethod.
CopyrightInformation
Thisdocumentsupportsapreliminaryreleaseofasoftwareproductthatmaybechangedsubstantiallypriortofinalcommercialrelease,andistheconfidentialandproprietaryinformationofMicrosoftCorporation.Itisdisclosedpursuanttoanon-disclosureagreementbetweentherecipientandMicrosoft.ThisdocumentisprovidedforinformationalpurposesonlyandMicrosoftmakesnowarranties,eitherexpressorimplied,inthisdocument.Informationinthisdocument,includingURLandotherInternetWebsitereferences,issubjecttochangewithoutnotice.Theentireriskoftheuseortheresultsfromtheuseofthisdocumentremainswiththeuser.Unlessotherwisenoted,theexamplecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,places,andeventsdepictedhereinarefictitious,andnoassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,place,oreventisintendedorshouldbeinferred.Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
©2008MicrosoftCorporation.Allrightsreserved.
Microsoft,MS-DOS,Windows,Windows NT,andWindows ServerareeitherregisteredtrademarksortrademarksofMicrosoft CorporationintheUnited Statesand/orothercountries.
Allothertrademarksarepropertyoftheirrespectiveowners.
Contents
Step-by-StepGuide:
DemonstrateNAPVPNEnforcementinaTestLab5
Inthisguide5
Scenariooverview6
NAPenforcementprocesses6
Policyvalidation6
NAPenforcementandnetworkrestriction7
Remediation7
Ongoingmonitoringtoensurecompliance7
NAPVPNenforcementoverview8
Hardwareandsoftwarerequirements8
Stepsforconfiguringthetestlab9
ConfigureDC19
InstalltheoperatingsystemonDC110
ConfigureTCP/IPonDC110
ConfigureDC1asadomaincontrollerandDNSserver10
InstallanenterpriserootCAonDC111
CreateauseraccountinActiveDirectory12
Adduser1totheDomainAdminsgroup13
Grantremoteaccesspermissiontouser113
CreateasecuritygroupforNAPclientcomputers14
ConfigureVPN114
InstallWindowsServer 200814
ConfigureTCP/IPpropertiesonVPN115
JoinVPN1totheCdomain16
UserAccountControl16
InstalltheRoutingandRemoteAccessserverrole16
ConfigureRoutingandRemoteAccess17
ConfigureauthenticationmethodsonVPN120
AllowpingonVPN120
ConfigureNPS121
InstallWindowsServer 200821
ConfigureTCP/IPpropertiesonNPS122
JoinNPS1totheCdomain22
InstalltheNPSserverrole23
InstalltheGroupPolicyManagementfeature23
ConfigureNAPclientsettingsinGroupPolicy23
ConfiguresecurityfiltersfortheNAPclientsettingsGPO24
ObtainacomputercertificateonNPS125
ConfigureNPSasaNAPhealthpolicyserver26
ConfigureNAPwithawizard27
Configuresystemhealthvalidators29
ConfigureVPN1asaNAP-capableRADIUSclient30
AllowpingonNPS131
ConfigureCLIENT132
InstallWindows VistaonCLIENT132
ConfigureTCP/IPfortheintranetnetworksegment33
EnableRunontheStartmenu33
VerifynetworkconnectivityforCLIENT133
JoinCLIENT1totheCdomain34
AddCLIENT1totheNAPclientcomputerssecuritygroup34
VerifyGroupPolicysettings35
ConfigureCLIENT1fortheInternetnetworksegment35
ConfigureTCP/IPonCLIENT135
VerifynetworkconnectivityforCLIENT136
ConfigureandtestaVPNconnection36
ConfigureaVPNconnection36
TestthenewVPNconnection38
VerifyingNAPfunctionality39
VerificationofNAPauto-remediation39
VerificationofNAPpolicyenforcement41
ConfigureWSHVtorequireanantivirusapplication41
ConnecttoVPN1fromCLIENT142
RemovetheantivirushealthrequirementsothatCLIENT1canbecomecompliant43
SeeAlso43
Appendix43
SetUACbehavioroftheelevationpromptforadministrators44
ReviewNAPclientevents44
ReviewNAPserverevents44
Step-by-StepGuide:
DemonstrateNAPVPNEnforcementinaTestLab
NetworkAccessProtection(NAP)isanewtechnologyintroducedinWindowsVista®andWindowsServer® 2008.NAPincludesclientandservercomponentsthatallowyoutocreateandenforcehealthrequirementpoliciesthatdefinetherequiredsoftwareandsystemconfigurationsforcomputersthatconnecttoyournetwork.NAPenforceshealthrequirementsbyinspectingandassessingthehealthofclientcomputers,limitingnetworkaccesswhenclientcomputersaredeemednoncompliant,andremediatingnoncompliantclientcomputersforunlimitednetworkaccess.NAPenforceshealthrequirementsonclientcomputersthatareattemptingtoconnecttoanetwork.NAPalsoprovidesongoinghealthcomplianceenforcementwhileacompliantclientcomputerisconnectedtoanetwork.
Inaddition,NAPprovidesanapplicationprogramminginterface(API)setthatallowsnon-MicrosoftsoftwarevendorstointegratetheirsolutionsintotheNAPframework.
NAPenforcementoccursatthemomentclientcomputersattempttoaccessthenetworkthroughnetworkaccessservers,suchasavirtualprivatenetwork(VPN)serverrunningRoutingandRemoteAccess,orwhenclientsattempttocommunicatewithothernetworkresources.ThewayinwhichNAPisenforceddependsontheenforcementmethodyouchoose.
NAPenforceshealthrequirementsforthefollowing:
∙InternetProtocolsecurity(IPsec)-protectedcommunications
∙InstituteofElectricalandElectronicsEngineers(IEEE)802.1X-authenticatedconnections
∙VPNconnections
∙DynamicHostConfigurationProtocol(DHCP)configuration
∙TerminalServicesGateway(TS Gateway)
Thestep-by-stepinstructionsinthispaperwillshowyouhowtodeployaNAPVPNenforcementtestlabsothatyoucanbetterunderstandhowVPNenforcementworks.
Inthisguide
ThispapercontainsanintroductiontoNAPandinstructionsforsettingupatestlabanddeployingNAPwiththeVPNenforcementmethodusingthreeservercomputersandoneclientcomputer.YoucreateandenforceclienthealthrequirementsusingNAPandVPN.
Important
Thefollowinginstructionsareforconfiguringatestlabusingtheminimumnumberofcomputers.Individualcomputersareneededtoseparatetheservicesprovidedonthenetworkandtoclearlyshowthedesiredfunctionality.Thisconfigurationisneitherdesignedtoreflectbestpracticesnordoesitreflectadesiredorrecommendedconfigurationforaproductionnetwork.Theconfiguration,includingIPaddressesandallotherconfigurationparameters,isdesignedonlytoworkonaseparatetestlabnetwork.
Scenariooverview
Inthistestlab,NAPenforcementforVPNnetworkaccesscontrolisdeployedwithaserverrunningNetworkPolicyServer(NPS),aserverrunningRoutingandRemoteAccess,andaVPNenforcementclientcomponent.NAP-capableclientcomputerswithvalidauthenticationcredentialswillbeprovidedVPNaccesstoanintranetbasedontheircompliancewithnetworkhealthrequirements.
NAPenforcementprocesses
SeveralprocessesarerequiredforNAPtofunctionproperly:
policyvalidation,NAPenforcementandnetworkrestriction,remediation,andongoingmonitoringtoensurecompliance.
Policyvalidation
NAPpolicyvalidationisperformedbyNPSinitsroleasaNAPhealthpolicyserverandaRemoteAuthenticationDial-inUserService(RADIUS)server.Systemhealthvalidators(SHVs)areusedbyNPStoanalyzethehealthstatusofclientcomputers.SHVsareincorporatedintonetworkpolicesthatdetermineactionstobetakenbasedonclienthealthstatus,suchasthegrantingoffullnetworkaccessortherestrictingofnetworkaccess.Healthstatusismonitoredbyclient-sideNAPcomponentscalledsystemhealthagents(SHAs).NAPusesSHAsandSHVstomonitor,enforce,andremediateclientcomputerconfigurations.
WindowsSecurityHealthAgent(WSHA)andWindowsSecurityHealthValidator(WSHV)areincludedwiththeWindows VistaandWindowsServer 2008operatingsystems,andenforcethefollowingsettingsforNAP-capablecomputers:
∙Theclientcomputerhasfirewallsoftwareinstalledandenabled.
∙Theclientcomputerhasantivirussoftwareinstalledandrunning.
∙Theclientcomputerhascurrentantivirusupdatesinstalled.
∙Theclientcomputerhasantispywaresoftwareinstalledandrunning.
∙Theclientcomputerhascurrentantispywareupdatesinstalled.
∙MicrosoftUpdateServicesisenabledontheclientcomputer.
Inaddition,ifNAP-capableclientcomputersarerunningWindowsUpdateAgent,NAPcanverifythatthemostrecentsoftwaresecurityupdatesareinst
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- NAPVPNStepbyStep