How to configure NAP components

In this article we will see how to configure Security Health Validators (SHVs) when configuring NAP in your Windows infrastructure. Before you can go straight in configuring a SHV, you’ll need to install the Network Policy and Access Services server role. Note that for this demonstration I will be using a Windows Server 2008 R2 virtual machine.
Windows SHVs can be configured in Network Policy and Access Services/NPS/Network Access Protection/Windows Security Health Validator:
Windows Security Health Validator
There are two configurable sections here:
Settings – Windows Server 2008 will have a in-build configuration under this node. In this section you specify the policy settings for your Windows machines. There are two configurable options, one for Windows 7/Windows Vista and the other one for Windows XP. You can configure the SHV to verify if the firewall, antivirus, spyware, automatic updates are enabled and up to date on your NAP clients.
Windows Security Health Validators
Error codes – in this section you configure what behavior does the SHVs take when errors are encountered during the health validation process.
Windows Security Health Validator
The default SHV will check several Windows components. It will verify if the antivirus is turned on and updated with the latest virus definitions. Automatic updates, Windows Firewall and spyware software updates will also be checked.
Network policies – are used to allow or deny access to a NAP client based on the criteria specified in the policy. To configure a network policy, open the Network Policy and Access Services console, navigate to NPS/Policies/Network Policies and press the New button from the right corner of the panel:
Network policies
Once the Wizard has started, you will need to enter a policy name and select the NAP server type that will take advantage of this policy:
Network policy
In the conditions tab, press Add and select the desired conditions that NAP clients must pass to receive network access. I will select NAP Capable Computers because I want to grant access only for these machines:
NAP network policy
There are many common conditions that can be configured here so, I suggest to study all of them before configuring a network policy. You can set conditions based on the Operating System, Health Policy state, Policy Expiration and so on.
Once the conditions have been configured, click Next:
Network Policy
In the following section you’ll need to specify the access permission settings for the policy. Select the access granted options and click next. If you select deny access, the health validation check will not occur:
Network policy access permission
In the next section you can configure one or more authentication types used by connection requests:
NAP authentication methods
If desired, you can also configure network constraints for a network policy :
Network policy constraints
Now click next and proceed to the Configure Settings page. Here you can specify additional settings that affects the network policy. Navigate to the Network Access Protection page and select the access level for this policy. There are three options available in this section as follows:
New Network Policy Wizard
  • Allow full network access – this option is usually configured when creating the network policy for healthy NAP clients.
  • Allow full network access for a limited time – this option will grant network access to NAP clients for a specified period of time. Once the configured time has elapsed, non-compliant computers will only be able to access the restricted network. When using this method, click the Configure button from the bottom section and select a Remediation Server Group and a troubleshooting URL:
Remediation Servers and Troubleshooting URL
  • Allow limited access – this option is configured for non-compliant computers and will give access only to the specified Remediation Server Group
Once you click Next, review the newly configured network policy and click Finish:
Configuring a Network Policy
For troubleshooting purposes it’s recommended that you enable NAP logging on authentication requests. This would benefit system administrators by providing them an overall image of the NAP infrastructure. Open up the NPS console, right click this section and select Properties. In the General tab check the two available options: rejected authentication requests and successful authentication requests:
Network Policy Server Properties

Note that NAP errors are also logged in Event Viewer, don’t forget to check out this tool. For detailed NAP logging you can enable event tracing on the Network Access Protection Server by running the netsh nap client set traing enable level-verbose command from cmd (tracing files are stored in C:\Windows\Tracing)

That’s it for this post folks, by now we’ve covered the main aspects about NAP and all this info should be sufficient to install and configure a NAP infrastructure. Wish you all the best and have a great day!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s