In this article we will see how to configure Security Health Validators (SHVs) when configuring NAP in your Windows infrastructure. Before you can go straight in configuring a SHV, you’ll need to install the Network Policy and Access Services server role. Note that for this demonstration I will be using a Windows Server 2008 R2 virtual machine.
Windows SHVs can be configured in Network Policy and Access Services/NPS/Network Access Protection/Windows Security Health Validator:
There are two configurable sections here:
Settings – Windows Server 2008 will have a in-build configuration under this node. In this section you specify the policy settings for your Windows machines. There are two configurable options, one for Windows 7/Windows Vista and the other one for Windows XP. You can configure the SHV to verify if the firewall, antivirus, spyware, automatic updates are enabled and up to date on your NAP clients.
Error codes – in this section you configure what behavior does the SHVs take when errors are encountered during the health validation process.
The default SHV will check several Windows components. It will verify if the antivirus is turned on and updated with the latest virus definitions. Automatic updates, Windows Firewall and spyware software updates will also be checked.
Network policies – are used to allow or deny access to a NAP client based on the criteria specified in the policy. To configure a network policy, open the Network Policy and Access Services console, navigate to NPS/Policies/Network Policies and press the New button from the right corner of the panel:
Once the Wizard has started, you will need to enter a policy name and select the NAP server type that will take advantage of this policy:
In the conditions tab, press Add and select the desired conditions that NAP clients must pass to receive network access. I will select NAP Capable Computers because I want to grant access only for these machines:
There are many common conditions that can be configured here so, I suggest to study all of them before configuring a network policy. You can set conditions based on the Operating System, Health Policy state, Policy Expiration and so on.
Once the conditions have been configured, click Next:
In the following section you’ll need to specify the access permission settings for the policy. Select the access granted options and click next. If you select deny access, the health validation check will not occur:
In the next section you can configure one or more authentication types used by connection requests:
If desired, you can also configure network constraints for a network policy :
Now click next and proceed to the Configure Settings page. Here you can specify additional settings that affects the network policy. Navigate to the Network Access Protection page and select the access level for this policy. There are three options available in this section as follows:
- Allow full network access – this option is usually configured when creating the network policy for healthy NAP clients.
- Allow full network access for a limited time – this option will grant network access to NAP clients for a specified period of time. Once the configured time has elapsed, non-compliant computers will only be able to access the restricted network. When using this method, click the Configure button from the bottom section and select a Remediation Server Group and a troubleshooting URL:
- Allow limited access – this option is configured for non-compliant computers and will give access only to the specified Remediation Server Group
Once you click Next, review the newly configured network policy and click Finish:
For troubleshooting purposes it’s recommended that you enable NAP logging on authentication requests. This would benefit system administrators by providing them an overall image of the NAP infrastructure. Open up the NPS console, right click this section and select Properties. In the General tab check the two available options: rejected authentication requests and successful authentication requests:
Note that NAP errors are also logged in Event Viewer, don’t forget to check out this tool. For detailed NAP logging you can enable event tracing on the Network Access Protection Server by running the netsh nap client set traing enable level-verbose command from cmd (tracing files are stored in C:\Windows\Tracing)
That’s it for this post folks, by now we’ve covered the main aspects about NAP and all this info should be sufficient to install and configure a NAP infrastructure. Wish you all the best and have a great day!