Network Access Protection (NAP) : Windows Server 2008 R2

See NAP at TechEd 2009

MS NAP Team — Tue, 12 May 2009 03:53:00 GMT

Hey NAP Fans!

If you are attending TechEd 2009 in Los Angeles this week, be sure to stop by the NAP booth in the Microsoft Technical Learning Center (TLC). It is a great opportunity to meet and speak with NAP team members and learn about some of the enhancements and new scenarios in Windows® 7 and Windows® Server 2008 R2.

Also there are at least two breakout sessions that would be useful for anyone interested in learning more about NAP deployments. Both are on Friday May 15th:

WSV206 Windows Clients and Windows Server 2008 NAP: Why They Are Better Together

Presenter: Jay Ferron

Fri 5/15 | 9:00 AM-10:15 AM | Room 502A

WSV305 Deploying NAP: Best Practices and Lessons Learned

Presenters: Venkatesh Gopalakrishnan, Lambert Green

Fri 5/15 | 2:45 PM-4:00 PM | Room 403B

Hope to see you there,

The NAP Team

SHV Multi-Config in Windows Server 2008 R2

MS NAP Team — Thu, 02 Apr 2009 00:14:00 GMT

In Windows Server 2008, a system health validator (SHV) installed on the NPS server can be configured in a single way. This works well if your system health requirements are the same for all of your NAP enforcement methods and all of your computers. However, some deployments require different sets of health requirements for different enforcement methods and different groups of computers. For example, you might want to specify that desktop computers must have their anti-virus software enabled and VPN-connected computers must have their anti-virus software enabled and signature file up-to-date.

In Windows Server 2008 R2, the NAP platform supports SHVs in multiple configurations to support these more advanced configurations, a feature known as SHV multi-config. Existing SHVs must be updated to take advantage of this new feature and new SHVs should be written to use this feature. The Windows Security Health Validator (WSHV) provided with Windows Server 2008 R2 supports SHV multi-config. For more information, see the new INapComponentConfig3 API at http://msdn.microsoft.com/en-us/library/dd392506(VS.85).aspx.

To see the SHV multi-config support for the WSHV, use the Network Policy Server snap-in and open Network Access Protection-System Health Validators-Windows System Health Validator-Settings. The following figure shows an example.

For a larger version of this figure, click here.

There is a default configuration that you can configure if you only need a single configuration of the WSHV settings. This default configuration cannot be deleted or renamed. When you create health requirement policies with the NAP wizard, it will configure your health policies to use this default configuration.

To create another configuration for the WSHV, do the following:

1. Right-click Settings, and then click New.

2. In the Configuration Friendly Name dialog box, type a name for the new configuration, and then click OK.

3. In the Windows Security Health Validator dialog box, specify the system health requirements and then click OK.

The following figure shows an example of a new WSHV configuration with the name WSHV Settings for DHCP.

For a larger version of this figure, click here.

To specify the use of a non-default configuration for the WSHV in the Network Policy Server snap-in, open Policies-Health Policies, and then double-click the name of the health policy that you want to modify. On the Settings tab, in the SHVs used in this health policy list, click the drop-down arrow in the Setting column for the Windows Security Health Validator SHV to see a list of configurations. The following figure shows an example.

Click the desired configuration of the WSHV, and then click OK.

NAP Product Team

Example of using the new NPS templates feature in Windows Server 2008 R2

MS NAP Team — Thu, 26 Feb 2009 23:16:00 GMT

In a previous NAP blog entry, we described the new NPS templates feature in Windows Server 2008 R2. In this blog entry, we show an example of using a template for a RADIUS shared secret.

Templates for RADIUS shared secrets allow users to specify a shared secret that can be reused when configuring RADIUS clients and remote RADIUS servers in the Network Policy Server snap-in. To create and use a RADIUS shared secret template, do the following:

1. From the Network Policy Server snap-in, open the Templates Management node.

2. In the console tree, right-click Shared Secrets, and then click New.

3. In Template Name, type a name for the shared secret template, and then either manually specify the shared secret or have NPS automatically generate one.

4. Click OK to save changes.

To use the RADIUS shared secret template, configure a RADIUS client, a remote RADIUS server, or a remote RADIUS server template and specify the template name for the shared secret, rather than manually configuring a shared secret or having NPS generate one. The following figure shows an example.

To view which RADIUS clients, remote RADIUS servers, and remote RADIUS server templates use a specific RADIUS shared secret template, right click the name of the RADIUS shared secret template, and then click View Usage.

NAP Product Team

NPS templates in Windows Server 2008 R2

MS NAP Team — Tue, 17 Feb 2009 21:45:00 GMT

NPS templates, the flagship feature of NPS in Windows Server 2008 R2, provides a huge reduction in cost of ownership and deployment for all NPS environments. NPS templates separate common RADIUS configuration elements such as RADIUS shared secrets and RADIUS clients from the configuration running on the server. When referenced, the NPS setting inherits the values configured in the specified template. A change in the template changes the corresponding value in all of the places in which the template is referenced. For example, a single RADIUS shared secret template can be referenced for multiple RADIUS clients and remote RADIUS servers. When you change the RADIUS shared secret template, the change is inherited by all of the RADIUS clients and remote RADIUS servers in which that RADIUS shared secret template is referenced.

You can also use NPS templates to assist in configuration with referencing them. For example, you can create a RADIUS client template that contains common settings (such as the vendor type or shared secret) for a specific group of RADIUS clients (such as all wireless APs from a specific vendor). When you create a new RADIUS client, you can select the RADIUS client template to obtain the common settings. When you unselect the template, the inherited settings remain and you can configure individual settings, such as the RADIUS client’s IP address.

Note Template settings are not supported by commands in the netsh nps context. Using netsh nps commands will remove the reference to the template and change the configuration element specified in the command.

NPS template settings can also be easily migrated and synchronized across multiple NPS servers.

The following types of configuration elements use templates:

· RADIUS shared secret

· RADIUS clients

· Remote RADIUS servers

· IP filters

· Health policies

· Remediation server groups

You can configure templates for these configuration elements from the Templates Management node of the Network Policy Server snap-in. The following figure shows an example.

For a larger version of this figure, click here.

Individual templates can be added, edited, duplicated, or deleted. After they are configured, they can be referenced and de-referenced in the appropriate dialog boxes in the Network Policy Server snap-in.

The following table lists the different types of templates and where they are used in the Network Policy Server snap-in.

Template	Where it is used
RADIUS shared secret	When creating or configuring RADIUS clients, remote RADIUS server group members, RADIUS client templates, or remote RADIUS server templates
RADIUS clients	When creating or configuring RADIUS clients
Remote RADIUS servers	When creating or configuring remote RADIUS server group members
IP filters	When configuring IP Filters settings for a network policy
Health policies	When creating or configuring health policies
Remediation server groups	When creating or configuring remediation server groups

NAP Product Team

NPS enhancements in Windows Server 2008 R2

MS NAP Team — Mon, 19 Jan 2009 20:06:00 GMT

As you are already aware, the beta version of Windows Server 2008 R2 is now available to the public for beta testing. See http://www.microsoft.com/windowsserver2008/en/us/R2-Beta.aspx for more information and the link to download the beta.

Here is the section from the Windows Server 2008 R2 Reviewer's Guide that describes the changes to the Network Policy Server (NPS) service in the beta release of Windows Server 2008 R2:

Improved Protection of Intranet Resources

The Network Policy Server (NPS) is a Remote Authentication Dial-In User Service (RADIUS) server and proxy and Network Access Protection (NAP) health policy server. NPS evaluates system health for NAP clients, provides RADIUS authentication, authorization, and accounting (AAA), and provides RADIUS proxy functionality.

NAP is a platform that includes both client and server components to enable fully extensible system health evaluation and authorization for a number of network access and communication technologies, including:

· Internet Protocol security (IPsec)-protected communication

· 802.1X-authenticated access for wireless and wired connections

· Remote access virtual private network (VPN) connections

· Dynamic Host Configuration Protocol (DHCP) address allocation

· Terminal Service (TS) Gateway access

The improvements to NPS in Windows Server 2008 R2 include:

· Automated NPS SQL logging setup. This new feature automatically configures a SQL database, required tables, and store procedure for NPS accounting data, which significantly reduces the NPS deployment effort.

· NPS logging improvements. The logging improvements enable NPS to simultaneously log accounting data to both a file and a SQL database, support failover from SQL database logging to file logging, and support logging with an additional file format that is structured similar to SQL logging.

· NAP multiple configurations of a system health validator (SHV), When you configure a health policy, you can select an SHV in a specific configuration. This allows you to specify different sets of health requirements based on a specific configuration of the SHV. For example, you can create a network policy that specifies that intranet-connected computers must have their anti-virus software enabled and a different network policy that specifies that VPN-connected computers must have their anti-virus software enabled and anti-malware installed.

· NPS templates. NPS templates separate common RADIUS configuration elements such as RADIUS shared secrets, IP filters, RADIUS clients, and others from the configuration that is running on the server. When referenced, the NPS setting inherits the values configured in the specified template. A change in the template changes the corresponding value in all of the places in which the template is referenced. For example, a single RADIUS shared secret template can be referenced for multiple RADIUS clients and servers. When you change the RADIUS shared secret template, the change is inherited by all of the RADIUS clients and servers in which that RADIUS shared secret template is referenced. NPS template settings can easily be synchronized across multiple NPS servers running Windows Server 2008 R2.

· Migration of Windows Server 2003 Internet Authentication Service (IAS) servers. This feature allows you to migrate the configuration settings of an IAS server running on Windows Server 2003 to an NPS server running on Windows Server 2008 R2.

__________________________________________________________________________________________________

The last bullet item is the same Iasmigreader.exe tool that I described in a previous NAP blog entry. I will publish more detailed descriptions of these features in future NAP blog posts.

Check out these new features. For ongoing beta support for NPS, post your question in the Windows Server 2008 R2 Networking TechNet forum.

Let the beta games begin!

Joe Davies
Senior Program Manager