Network Access Protection (NAP )

This new service allows an administrator to set the level of health required for the network and to restrict computers that do not comply with these requirements for communication with the corporate network. For example, NAP can control the updates deployed on the workstation, if the antivirus or antispyware is updated, etc. If a computer is not the safety standards in force in the company, he was confined in a network of detention where he can find services such as allowi ng it to update its system to revert to a configuration compliant. NAP also ensures compliance of the workstation during the session. For example, if the user disables the integrated firewall, NAP can automatically take action to reactivate it if the security policy requires that the firewall is enabled. Security policies are stored on a server called NPS (Network Policy Server). NAP can be used with Windows Vista clients and Windows XP SP3.

NAP infrastructure include s the following server roles:

o

o o

o o

Health policy server Sometimes referred to as the Network Policy Server (NPS), the health policy server is a Windows Server 2008 server running IAS. Regardless of enforcement method this server evaluates the statements of health submitted by clients and determi nes what access to allow. Health requirement server Also called the NAP Administration Server, this Windows Server 2008 server Health registration authority This server must be running Windows Server 2008, it receives health certificates from a certi ficate authority (CA) and forwards them to clients that meet the system health requirements. Active Directory Domain Services (AD DS) AD DS provides user authentication and other services, its required for IPsec, 802.1X, and VPN enforcement. Remediation Servers These are servers accessible to non -compliant clients on the restricted network. NAP clients can access the remediation servers to retrieve operating system updates, up -to-date antivirus signatures, or other resources in order to become compliant with the health requirement policies.

Enforcement For NAP to work, a network component must enforce NAP by either allowing or denying networkaccess. One or more of the four enforcement methods must be implemented, they can be:
o

o o o

IPsec IPsec does not appear on the diagram because when its used as the enforcement method all of the managed systems have IPsec policies that limit access for systems that have not demonstrated compliance. 802.1X These are Ethernet switches or wireless acc ess points that support 802.1X authentication. VPN This is a server running Windows Server 2008 and RRAS, it provides remote access to clients. DHCP This is a server running Windows Server 2008 and the DHCP service.

NAP enforcement methods NAC solutions can be distinguished according to their methods of enforcing compliance with the health requirements. NAP supports five different enforcement methods: DHCP enforcement, VPN enforcement, 802.1X enforcement, IPSec enforcement, and TS Gateway enforcement. Third-party vendors can extend NAP with their own enforcement methods.

IPsec ConnectionSecurity This enforcement type requires clients to perform a NAP health check before they can receive a health certificate. In turn, this health certificate is required for IPsec connection security before the client can connect to IPsec -protected hosts. IPsec enforcement allows you to require health compliance on a per -IP address or a per-TCP/UDP port number basis. For example, you could allow noncompliant computers to connect to a Web server but allow only compliant computers to connect to a file server even if the two services are running on a single computer. You can also use IP sec connection security to allow healthy computers to communicate only with other healthy computers. IPsec enforcement requires a CA running Windows Server 2008 Certificate Services and NAP to support health certificates. In production environments, you wi ll need at least two CAs for redundancy. Other public key infrastructures (PKIs) will not work. IPsec enforcement provides a very high level of security, but it can protect only computers that are configured to support IPsec. 802.1X Access Points This enforcement type uses Ethernet switches or wireless access points that support 802.1X authentication. Compliant computers are granted full network access, and noncompliant computers are connected to a remediation network or completely prevented from connectin g to the network. If a computer falls out of compliance after connectingto the 802.1X network, the 802.1X network access device can change the computers networkaccess. This provides some assurance of compliance for desktop computers, whichmight remain con nected to the network indefinitely. 802.1X enforcement uses one of two methods to control which level of access compliant, noncompliant,and un authenticated computers receive. An access control list (ACL) A set of IPv4 or IPv6 packet filters configured on the 802.1X access point. The 802.1Xaccess point applies the ACL to the connection and drops all packets that are notallowed by the ACL. Typically, you apply an ACL to noncompliant computer connectionsand allow compliant computers to connect without an ACL (thus granting themunlimited network access). ACLs allow you to prevent noncompliant computers fromconnecting to one another, thus limiting the ability of a worm to spread, even amongnoncompliant computers.

A virtual local area network A group of ports on the switch that are grouped together tocreate a separate network. VLANs cannot communicate with one another unless youconnect them using a router. VLANs are identified using a VLAN identifier, which mustbe configured on the switch itself. You can then us e NAP to specify in which VLAN the compliant, noncompliant, and unauthenticated computers are placed. When you placenoncompliant computers into a VLAN, they can communicate with one another. Thiscan allow a noncompliant computer infected with a worm to att ack, and possibly infect,other noncompliant computers. Another disadvantage of using VLANs is that the clientsnetwork configuration must change when transitioning from being a noncompliantNAP client to being a compliant NAP client (for example, if they ar e able to successfullyapply updates). Changing the network configuration during system startup and userlogon can cause Group Policy updates or other boot processes to fail. VPN Server This enforcement type enforces NAP for remote access connections using a

VPN server running Windows Server 2008 and Routing and Remote Access (other VPN serversdo not support NAP). With VPN server enforcement enabled, only compliant client computersare granted unlimited network access. The VPN server can apply a set of packet filtersto connections for noncompliant computers, limiting their access to a remediation servergroup that you define. You can also define IPv4 and IPv6 packet filters, exactly as you wouldwhen configuring a standard VPN connection. DHCP Server This enforcement type uses a computer running Windows Server 2008 and the Dynamic Host Configuration Protocol (DHCP) Server service that provides IP addresses tointranet clients. Only compliant computers receive an IP address that grants full network access; noncompliant computers are granted an IP address with a subnet mask of 255.255.255.255 and no default gateway. Additionally, noncompliant hosts receive a list of host routes (routes that dire ct traffic to a singleIP address) for network resources in a remediation server group that you can use to allow theclient to apply any updates required to become compliant. This IP configuration prevents noncompliantcomputers from communicating with networ k resources other than those you configureas part of a remediation server group. If the health state of a NAP client changes (for example, if Windows Firewall is disabled), the NAP client performs a new health evaluation using a DHCP renewal. This allows c lients that become noncompliant after successfully authenticating to the network to be blocked from furthernetwork access. If you change the health policy on NAP servers, the changes will not beenforced until the clients DHCP lease is renewed. Although 802.1X network access devices and VPN servers are capable of disconnecting computers from the network and IPsec enforcement can allow connections only fromhealthy computers, DHCP server enforcement points can be bypassed by an attacker whomanually configures an IP address. Nonetheless, DHCP server enforcement can reduce therisk from nonmalicious users who might attempt to connect to your network with a noncompliantcomputer.

System Health Agents and System Health Validators

System Health Agent (SHA) This is the agent/service on Enforcement Client (EC) that sends health information to Enforcement Server (ES). Windows System Health Validator SHA is included in Windows Vista and Windows XP SP3. System Health Validator (SHV) The System Health Validator takes the information that has received from the System Health Agent, and compares that information against the health policy that has been defined. The NAP connection process is as follows: 1. The NAP client connects to a network that requires NAP. 2. Each SHA on the NAP client validates its system health and generates anSoH. The NAP client combines the SoHs from multiple SHAs into a System Statement of Health(SSoH), which includes version information for the NAP client and the set of SoHs forthe instal led SHAs. 3. The NAP client sends the SSoH to the NAP health policy server through the NAPenforcement point.

4. The NAP health policy server uses its installed SHVs and the health requirement policies that you have configured to determine whether the NAP client meets health requirements. Each SHV produces a Statement of Health Response (SoHR), which can containremediation instructions (such as the version number of an antivirus signature file) ifthe client doesnt meet that SHVs health requirements. 5. The NAP health policy server combines the SoHRs from the multiple SHVs into a System Statement of Health Response (SSoHR). 6. The NAP health policy server sends the SSoHR back to the NAP client through the NAP enforcement point. The NAP enforcement point can now connect a compliant computerto the network or connect a noncompliant computer to a remediation network. 7. Each SHA on the NAP client processes the SoHR created by the corresponding SHV. Ifpossible, any noncompliant SHAs can attempt to come into compliance (for example, by downloading updated antivirus signatures). 8. If any noncompliant SHAs were able to meet the requirements specified by the SHV, theentire process starts over again hopefully with a successful result.

Installing the Network Policy Server

NAP depends on a Windows Server 2008 NAP health policy server, which acts as a RADIUSserver, to evaluate the health of client computers. 1. The first step is to Add the Network Policy Server Role . Open up Server Manager, right click on Roles and click Add Roles.

2. The Add Roles Wizard begins. Click Next.

3. Tick the box next to Network Policy and Access Services and click Next.

4. An introduction to Network Policy and Access Services is displayed. Click Next

5. Please a tick in the box next to Network Policy Server and click Next.

Network Policy Server needs to be selected to use any of the items. Routing and Remote Access Services is for enabling VPN termination, you may insta ll this at the same time if you plan to run this server as a VPN server.

6. The next window displays the conformation of the role to be installed. Click Install.

7. The Role has been installed successfully. Click Close. This installs the core NPS ser vice, which is sufficient for using the Windows Server 2008 computeras a RADIUS server for 802.1X, VPN, or DHCP enforcement.

Configuring the Network Policy Server to perform NAP enforcement

Open the Network Policy Server from Start, Administrative Tools, Network Policy Server

Getting Started Screen appears here you can use the standard configuration wizard to configure Network Access Protection (NAP) RADIUS server for Dial -Up or VPN Connections RADIUS server for 802.1X Wireless or Wired Connections

Click Configure NAP.

You will see the Select Network Connection Method Usedfor NAP screen.

In the Network Connection dropdown box, select Dynamic HostConfiguration Protocol (DHCP).

In the Policy Name text box, accept the defaultselection of NAP DHCP. With these settings configured, click Next to display the NAP Enforcement Servers screen i f the DHCP Server is running on the local computer this screen can be skipped. On the other hand, the DHCP servers are running on one or more remote servers, they must each have the Network Policy Server role installed and be configured as a RADIUS proxy t o forward connection requests to the local NPS server. Click the Add... button and enter the name and

IP address of the remote DHCP Server and either manually enter or generate a shared secret, which will need to be entered into the NAP DHCP policy of any remote DHCP servers. Repeat this process for each remote DHCP server before clicking on Next to proceed to the DHCP Scopes screen:

The Specify DHCP Scopes screen appears. If network client health is to be enforced for all IP addresses allocated by t he DHCP server then no scopes need to be defined here. If, on the other hand, NAP enforcement is only required for certain IP address ranges, define the scopes here.

Click Add, and enter the name of theDHCP scope.

On the next screen enter specific machines and users which are to be granted or denied access. TheMachine Groups simply click Next

NAP Remediation Server settings page allows the addresses of Remediation Servers to be specified, where clients may obtain the necessary updates to reach NAP compliance. It is also possible to specify a web page URL which displays information to the user about how to bring their computers into compliance with the defined policy. When the appropriate information has been entered, click Finish.

The Define NAP Health Policy screen appears . From hereyou can define the following options: Enable Auto-Remediation of Client Computers. This option is selected bydefault. Allow/Deny Full Access to NAP -Ineligible Client Computers. The Deny optionis selected by default.

Click Next and Finish

System Health Validators (SHVs).

Createa new SHV to ensure the Windows Firewall is enabled, andantivirus configured . 1. In the Network Policy Server console tree, double -click Network Access Protection , and then click double click System Health Validators or right click and select Properties

On the Windows Security Health Validators Properties, select Configure ...

From here you canconfigure which components of the Windows Security Health Validator will be usedto determine client health, including: Windows Firewall enabled Antivirus application enabled Antivirus definitions up -to-date Anti-spyware application enabled (Not available in the Windows XP NAP Agent) Anti-spyware definitions up-to-date (Not available in the Windows XP NAPAgent) Automatic Updates enabled Windows software updates, based on either the M icrosoft Web site or a WSUS server

Click OK to close the Windows Security Health Validator dialog box, and then cli ck OK to close the Windows Security Health Validator Properties dialog box. Close the Network Policy Server console.

Creating a System Health Policy

Now that you have configured the System Health Validators, you must configure a System Health Policy. System health policies define the system health validation results. Essentially, this means defining what constitutes a pass or fail when the system health validation is performed on a client. To configure the Networ k Policy Servers health policy navigate through t he console tree to NPS (Local) > Policies > Health Policies.

Now, right click on the Health Policies container, and select the New command from the resulting shortcut menu. When you do, Windows will display the Create New Health Policy.

We will then need to tell Windows how to handle compliant or non -compliant systems from the system health perspective. We will configure Windows to use the Security Health Validator policy that pass or fail the defined criteria of having the anti-virus program installed on the system.

In the Create New SHV Template dialog box, under Name, type Fail. Under Template Type, choose Client fails one or more SHV checks . Under Select desired SHVs , select the Windows Security Health Validator Click OK

Configuring Network policies

Network policies evaluate information contained in client authorization requests and grant network access based on the results. Network policy determines whether a client complies with health policy . NAP enforcement and network restriction NAP enforcement settings allow you to limit network access of noncompliant clients to a restrictednetwork, to defer restriction to a later date, or to merely observe and log the health status of NAPcapableclient computers. The following settings are available: Allow full network access . This is the default setting. Clients that match the policy conditions are deemed compliant with network health requirements, and are granted unrestricted access to the network if the connection request i s authenticated and authorized. The health compliance status of NAP -capable client computers is logged. Allow limited access . Client computers that match the policy conditions are deemed noncompliant with network health requirements, and are placed on the restricted network. Allow full network access for a limited time . Clients that match the policy conditions are temporarily granted full network access. NAP enforcement is d elayed until the specified date and time.

Here we will assign the PASS policy that the systems are granted full access, and for the FAIL policy, they are granted access to the remediation network to install the anti -virus. The wizard to add the policies in the MS-NAP implementation is straightforward.

Open the node Network Policies in Network Policy Server management console Open properties of the policy FAIL Go to the tab Settings and select NAP Enforcement in the section Network Access Protection

Enable the option Allow limited access and click Configure. Choose the created Kaspersky Administration Kit Group in the drop-down menu. Enter a web page URL containing troubleshooting instructions. It may be an application installation guide, an instruction on launching a scan or update. In the example there is a link to Kaspersky Anti-Virus 6.0 for Windows Workstations MP4 installer on Administration Server.

Click OK twice Health validation If a client computer fails to meet policy requirements (e.g. the requirement Anti-Virus application installed enabled in the policy is unfulfilled), an exclamation icon will appear in the system tray next to system clock and a message will be displayed informing that Your computer is not compliant with the requirements of this network . Network access will be limited for this PC.

Click More Information

Install Kaspersky Anti-Virus 6.0 for Windows Workstations MP4 and reboot the PC. After passing all checks in compliance with Kaspersky settings (e.g. Anti-Virus application installed) a green icon will appear in the system tray next to system clock and a message will be displayed informing that the computer is compliant with the requirements of this network. The client receives standard network settings and unlimited network access.

Configuring DHCP Server NAP Settings

The NAP settings associated with a DHCP sever can be configured either on a server -wide (global) or per -scope basis. To configure global settings for a DHCP server Open the DHCP console Start > All Programs > Administration Tools > DHCP and unfold the tree in the left panel for the required DHCP server. Right click on IPv4, select Properties and select the Network Access Protection tab

Within this screen, Network Access Protection settings on all scopes can be enabled or disabled using the two buttons. Further, the default behavior of the DHCP server when the Network Policy Server (NPS) is unreachable may also be configured. In Full Access mode, all DHCP clients are given full and unrestricted access to the network (essentially be having as though NAP enforcement is not implemented). Restricted Access allows clients to access resources only on the server to which they are connected. The rest of the network is off limits until the NPS server comes back online. Finally, Drop Client Packet prevents all client access to the network.

Configuring NAP Settings for Scopes The NAP settings for specific scopes can also be accessed and modified using the DHCP console. Once the DHCP console is running (as outlined in the preceding section), unfold the required server from the left hand panel then unfold the IPv4 entry so that currently configured scopes are listed. Right click on the required scope entry, select Properties and click on the Network Access Protection tab:

Exams Questions

Question Youare an En terprise administrator for Certkiller.com. Thecompany consists of a head office and a branch office, whichare connected through VPN connectivity. The corporate network of the company consists of servers that run Windows Server 2008. Thehead office of the c ompany has Network Access Protection (NAP) enforce ment deployed for VPNs. Which of the following options would you choose to ensure that the health of all clients can be monitored and reported? A.Create a Group Policy object ( GPO) and link it to the doma in and then set the Require trusted path for credential entry option to Enabled. B.Create a Group Policy object (GPO) and linkit to the domain and then enable the SecurityCenter. C.Create a Group Policy object (GPO) and link it to the Domain Controllers organi zational unit (OU) and then e nable the Security Center. D.Create a Group Policy object (GPO) and link it to the Domain Controllers organizational unit (OU) and then enabled t he Require trustedpath for credential entry option. Answer B

Explanation: TheNAP replaces Network Access Quarantine Control (NAQC)in WindowsServer 2003,which provided t he ability to restrictaccess to a network for dial -up and virtual private network (VPN) clients. The solution w asrestrictedtodial-up/VPN clients only. NAP improves on this functionality by additionally restricting clients that connect to a network directly, either wirelessly or physically using the Security Center. NAP restricts clients using the following

enforcement methods: IP security (IP sec), 802.1x, Dynamic Host Configuration Pro tocol (DHCP) and VPN. However,to enable NAP on all the clients in your do main, you should create a group policy and link it to a do main and then enable t he Security Center.

Question Youare an En terprise administrator forCertkiller.com. Thecorporate network of the co mpany consists of a single ActiveDirectory do main. All the serverson the corporate network run Windows Server 2008. Thecompany has Active Directory Certificate Services (AD CS) and Network Access Protection (NAP) deployed on the network. Which of the following options would you choose to configure the wir eless network to accept smart cards? A.Use WEP, 802.1X authentication, PEAP, and MSCHAP v2. B. Use WPA2, PEAP, and MSCHAP v2. C.UseWPA2,802.1Xauthentication and EAP -TLS. D.Use WPA, PEAP, and MSCHAP v2 andalso require strong user pass words. E. None of the above

Answer C Explanation: Toconfigure the wireless network toacce pt smart cards, you need to use WPA2, 802.1X authenticationand EAP -TLS.

Theuse of smart cards for userauthenticationisthe strongest fo rmof authentication in the Windows Server2003 f amily. For remote access connections, you must use the Extensible Authentication Protocol (EAP) withthe S mart card or othercertificate(TLS) EAP type, also known as EAP-Transport Level Security (E AP-TLS).

Question Youare an enterprise a dministrator for Certkiller. The company has a head office and 15 Branch offices. The corporate netwo rk of the company consists of a single Active Directory domain, where all servers run Windows Server 2008. The Branch office computers use VPN connections to connect to the head office co mputers. Which of the following options wo uld you choose to ensure that users cannot access the VPN server remotely from21:00 to 06:00? A.Create a network policy for VPN con nections and configure the Day and ti me restrictionsaccordingly. B.Configure the Logon Hours for the defa ult domain policy by enabling the Force logoff when logon hours expir e option. C.Create a network policy for VPN connectionsand apply anIP filt er to deny access to the corporate network. D.Configure the Logon hours for all user objects by specifying only the VPN server on the Computer restrictions option. Answer A Explanation: Toensure that users cannot access the VPN server remotely from21:00 to 06:00, you need to create a network policy for VPN connections and then modify the Day and time restrictions. The network policyprovides a policy conditions called "Allowfull network access for a limited time", which allowclients to temporarily access full network. However, the NAP enforce ment isdelayed until the specified date and ti me. Question Certkiller.comemploys RRAS (Routing and R emote Accessservices) for remote user access. The remote usersare not do main members. You find out that a virus is infecting internal member computer through a remote user computer. The re moteusercomputer is the source ofthat virus that is infecting the domain members' computers. What should you do to protectthe corporate net work against viruses and malicious programs that are transmitted from a remote computer? A.Create a network health po licy that requires an anti-virus software running and updatesitselffrequently B.Install file-level anti -virus software on RRAS serverand configure it to update auto matically C.Put all remote users in an organizationalunitandinstall antivirussoftware by creating aGPO. D.Createa network health policythatrequiresananti -spyware to run on the RRAS server. Ensure that it automatically updates itself. E.All of the above

Answer A Explanation You need to configure a network healthpolicythatrequiresanti -virussoftwaretoexecute and check all the incoming files from the re mote computer. In order to keep theanti -virus

database up to date, you need to check the auto matic updates option so you don 't have to do the manual updates.

Question Asa network administrator for Certkiller, you have installed Windows 2008 Server on all the server computers of the company and Windows XP Professional Service Pack 2 and Windows Vista on all the client co mputers in the company. Thecompany now wants all the computers tojoin the corporate network but wants to restrict non-compliant computers fromcommunicating on the network. The computers must meet the systemhealthrequirements as statedin the corporate security policy. Which of the following roles service you shouldinstall to achieve this? A.Network policy and Access services B. Routing and R emote Access services C. Terminal Services licensing D.Terminal Services gateway E.None of the above Answer A Explanation: TheNetwork Access Protection ( NAP) is a component of the Network policy and Access services that allow protecting network resources by enforcing co mpliance with system healthrequirements.

Question Certkiller.comhas a corporate net work.The Network Access Protection (NAP) is configured on default settings for thenetwork. You install anapplication on a client 's computerthatrunsWindows Vista Business. The basic job of the application is to connect to a remotedatabase server. When you install the application on the client 's computer, the application fails. You start troubleshooting the problemand discover that the anti -spyware software installed on the client 's computer is not compatible with the n ew application. Even after disabling the anti-spywaresoftware, the application continues to fail. What should you do to ensure t hat the application worksnor mally on every client's computer? A.Turn off the anti-spyware setting "up to date" on the Windows Security Health Validatorwindow B.Turn off the Anti-spyware setting "Application is on" on the Windows Security Health Validatorwindow C.Configure the Windows Defender service onclient 's computer to a manual startup. Disable the Windows Defender service and t hen enable it ag ain after putting it on manual startup. D.Configure the system health agent failure option through Error code resolution to healthy E.All of the above Answer B Explanation Toensure that the application works normally on every client co mputer, you should choose the option B. You have to turn the anti -spyware settings "application is on" off on the Windows Security Health Validator window. The Windows Security Health Validator keeps all the importanta pplication on to ensure thatthe critical applicationsare

working.Since the Anti -spyware is not compatible with the appli cation you are installing on client computers, you should turn it offin the Windows Security Health Validator Window. Youshould not choose option A because itwill update the anti -spywaresoftware. Si milarly, the Windows Defender Service is alsonot an opti on for this scenario because it will not hinder with the new application and there is no use sta rting it manually and disabling it.

Question Certkiller.comhas Network Access Protection (NAP) and Active Directory CertificateServices (AD CS) runningon their Active Directory do main. Newlaptops with Windows Vista install ed, are required to beconnected tothe wireless network and join the Active D irectory domain. These portable co mputers will be u sing PEAPMS-CHAP V2forauthentication. Whatshould you do to ensure that the laptops could join the do main when users restartthem? A.Run the netshwlan exportprofile command on all laptops. B.Configure each laptop computer with a Bootstrap wirelessprofile C.Configure a group policy with the use of WindowsWLANAuto Config service for clie nts policy setting enabled D.Configure a group policy with the use of WindowsWLANAuto Config service for clients policy setting disabled E.None of the above Answer B Explanation: Toensure that the Wireless clientlaptopsrunning Windows Vista using PEAP-MS-CHAPV2 for authentication could join the AD do main when users restart them, you need to configure each laptop co mputer with a Bootstrap wireless profile, which is a temporary wireless profile that can be used to obtain connectivity to a secure wireless network. Once connected to the wir eless network, the wireless client user can join t he computer to the do main after providing secur ity credentials for an authentication by a RADIUS server. Thesecredentials may include a u sername and password (for Protected EAP [PEAP]-MicrosoftChallenge Handshake Aut hentication Protocol version 2 [MS -CHAP v2])or certificates (for EAP- TLS).

Question Thecorporate network of Certkiller consi sts of servers that have Active Directory Certi ficate Services (AD CS) and Network Access Protection (NAP) deployed on the m. Anumber of mobile users connect to thenetworkwirelessly.You have NAP policies configured for these users. Which ofthe following options would you choose to ensure t hat NAP policies are enforced on porta ble computers that use a wireless connection to access the network?Whatshould you do? A.Use MS-CHAP v2 authentication on all portable co mputers. B.Disable the Prevent connectio ns to infrastructure networks option in the wireless GroupPolicy settings in the G roup Policy Management Console. C. Use 802.1X authenticationto on all access p oints. D.Enable the Prevent connections to infrastructure networks option in the wirele ss GroupPolicy settings in the G roup Policy Management Console. E. None of the above

Answer C Explanation: Toensure that NAP policies are enf orced on portable co mputers that use a wireless connection to access the network, you need toc onfigure all access poi nts to use 802.1X authentication. 802.1Xenforce ment enforce health policy requ irements every time a computer attempts an 802.1X-authenticated network connection. 802.1X enforce ment also actively monitor the health status of the connected NAP clientand applies the restricted access profile to the connection if the client beco mes noncompliant. Question Thecorporate network of Certkiller contains a Windows Server 2008 that has the NetworkPolicy Serv er (NPS) service role installed. Whichof the following options wo uld you choose to allow VPN access toonly the members of a global group na med Certkiller Staffto the network? A.Create a new network policy, de fine a group-based condition for Certkiller Staff, Set the access permission toAccess Granted, and s et the processing order of the policy to 1. B. Add Certkiller Staff to the RAS and IAS Servers group. C.Create a new network policy, de fine a group-based condition for Certkiller Staff, Set the access permission toAccess Granted, and s et the processing order of the policy to 3. D. Add Certkiller Staff to the N etwork Configuration Operators group. E.None of the above

Answer A Explanation: Toallow access to only the members of Certkiller Staff VPN to the network, you need to create a newnetwork policy and define a group -based condition for Certkiller Staff then set the access permission of the policy to Access Granted andset the processing order of the policy to 1. Youcan create different co mpliance standards for users based on role, depart ment, geography, and so on and then create network policies based on the m. For the same reason you can create a policy of Certkiller Staff VPN group and set the processing order of the policyto one. Thisis becau se the policies are evaluated fromtop to bottomand processing stops once a policy rule is matched. First is the Compliant FullAccess policy which statesthat machines that pass all SHV checks are granted unrestricted network access sho uld be listed. Having thi s policy listedfirst reduces processingload and ti meonthe NPS. Thenext policy used should be for Non -compliant or Restricted machines and the t hird policy is for backward compatibility ofco mputers.

Question Onthe corporate network of Certkillerthe Network AccessProtection (NAP) is configured. You have configured the 802.1x authentication to all the access points that will be used to accessto the corporate net work using wireless computers to ensure secure wireless access. Whichof the following option s would you choose to ensure that all the client computers that try to access the corporate net work are evaluated by NAP? A.Configure a Connection Request Policy having EAP -TLS as the only available authentication method.

B.Configure all access points as RADIUSclients to the Remediation Servers. C.Configure a Network Policy having the Re mote Access Server as the only available authentication method. D.Configure all access points as RADIUS clients to the Network Policy Server (NPS). E. None of the above

Answer A Explanation: Toensure that all the client co mputersthat try to access the corporate network are evaluated by NAP, you need to create a Connection Request Policy that specifies EAP -TLS asthe only available authentication method. Bydefault, Windows Server2008 supports the EAP methods: PEAP-MS-CHAPv2, EAP withTransport Layer Security (TLS) or EAP-TLS, and PEAP -TLS. Theconnection request policy can impose connection require ments. For example, for 802.1Xand VPN enfor cement, the connectionrequestpolicyrequi res the use of a Protected Extensible AuthenticationProtocol(PEAP) -basedauthentication method. If the connecting client does not use PEAP,the connection request is rejected.

Question

Certkiller.comhas a server with ActiveDirectory Do main and an Enterprise Root Certi ficate authority installed. To protect the VPN connection,Certkiller.comhas decided to employ Network AccessProtection (NAP) on the server. Youare given the task for i mplementing the NAP on the server. You build two servers named Certkiller NPS and Certkil ler VPN. You configure the functions on both servers as shown in the exhibit. Whatshould you do to ensure that the systemhealth policy is i mplemented on all clie nt computers attempting to connect to the VPN server? A.Configure a NAP role on an Enterprise Certificate Serv er B.Reconfigure CertkillerNPS as a Radius Client C.Configure a NAP role and add it to a do main controller D.Reconfigure Certkiller VPN as a Radius client E.None of the above Answer D Explanation: Toensure that the system health policy is i mplemented on all client computers that attempt a VPN connection, you should reconfigureCertkiller VPN as a Radius client. The Certkiller VPN will aut henticate and authorize t he client VPN connecti ons and won't allow those clients who don't have a systemhealth policy added on their machines.

Question Youare an enterprise a dministrator for Certkiller. The company has a head office and three Branch offices. Besides this the c ompany has many remote users that need to connect to

the corporate network. T he company has divided these remote usersintotwo global groups, GroupA and GroupB. Tosecure the corporate network, you installed the Network Policy Server (NPS) service role on a server that runs Windows Server 2008. You want to all ow VPN access to the corporate network to GroupA. Whichof the following options wo uld you choose to accomplish this task? A.Add GroupA to the RAS and IAS Servers group. B.Add GroupA to the Network Configuration Operators group. C.Create a new network poli cy having a group-based condition for GroupA, set the access permission of the policy to Access gra nted and set the proces sing order of the policy to 3. D.Create a new network policy having a group -based condition for GroupA, set the access permission of the policy to Access granted and set the proces sing order of the policy to 1. Answer D Explanation: NetworkPolicy Server (NPS) in WindowsServer2008 allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connect ion request authorization. Toallow only members of a global groupnamed GroupA VPN access to the network, youneed to create a newnetwork policy and define a group -based condition for GroupA. Set the access permission of the policy to Accessgranted. Set the processing order of the policy to 1 Processingorder specifies the nu meric positionof this policy in the list of policies con figured on the NPS. Poli cies highest in the list (for example, at first position) are processed by NPS first. Policies added at positions above other policies cause the positio ns of the other policies to dropin theli st by one position. If proce ssing order isnotspecified,the policy is added at the end of the list.

Question Youare an enterprise administrator for Certkiller. The corporate networkof Certkiller consists of anActive directory do main called Certkiller.co m. The domain runs Windows Server 2008 on all servers and Windows Vista on all client co mputers. Thecorporate network uses Network A ccess Protection (NAP) to enforce policies on clie nt computers that connect to the network. According to the Co mpany's policy, only the client computers that have updat es labeled Important and Critical installed on themcan access network resources. A Group Policy is used to config ure client computers to obtain updates fromWSUS. Whichof the following options would you choose to ensure that client computers meet the company's policy requirement? A.Disconnect the remote connectionuntil the re quired updates are installed. B. Enable the Security Center on each clie nt. C.Enable auto matic updates on each client. D.Quarantine clients that do not haveall available secur ityupdatesinstalled.

Answer D Explanation: Toensure that client c omputers meet the company policy requirement, you need to Quarantineclients that do not have all available securityupdates installed.

Usingthe NAP Client Configuration too l, you can configure separate en forcement policies for remote access clients. Administrators can use NAP to enf orce health require ments for all computers that are connected to an organization 's private network, regardless of how those computers are connected to the network. You can use NAP to i mprove the security of your private network by ensuring that the latest updates are installed before users connect to your privatenetwork. If a client co mputer does not meet the health require ments, you can prevent thecomputer from connec ting to your private network.To enforce re mote access NAP, open NAP Client Configuration tool, double -click Remote AccessQuarantineEnforcement Client, and then select the Enable This Enforcement Client check box.

Question Onthe corporate network of Certkiller,Network Access Protection is configured to li mit the network access of computers based on predefined health require ments. Company's security policy enforces data confidentiality while the data is intran sit between servers and client computers. Asa network administrator of the company, you want to ensure that personal portable computers that don't comply withpolicy require ments must be prohibited fromaccessing company resources. What shouldyou do to achieve this? A.Create anIPSec enforce ment network policy B.Create and 802.1X enforce ment network policy C.Create a wired netwo rk (IEEE 802.3) group policy D.Create anexten sible authenticati on protocolenforcement policy E.None of the above Answer A Explanation: Becausethe scenario suggests the configuration of the security policy on the network, you need to create an I PSec enforcement network policy as a Network Access Protection Mode to ensure that personal portableco mputers that don 't comply with policy require ments are prohibited fromaccessing co mpany resources. IPSecenforcement network policy authent icates NAP clients when they initia te IPsec-secured communications with other NAP clients. 802.1x-basedenforcement network policy andthe wired net work (IEEE 802.3) group policy cannot be used because they are swi tch-based enforcement. Every time a client activates a switch port, it's placed in a limited-access VLAN until it authenticates to a NACserver and passes assessment, which is not required here. Extensible authentication protocol enforcement policy is not required h ere because it is usedto all ow EAP method vendors to easily develop and install new EAP methods on both c lient computers and NPS servers.

Question You are a systems administrator for an enterprise company. You are currently configuring NAP enforcement in a lab environment. You need to create a network policy that prevent s noncompliant computers from connecting to the network. How should you configure the network policy properties ? A. B. C. D. In the Settings tab, Set NAP Enforcement to Allow Limited Access. In the Overview tab set Access Permission to Deny Access In the Constraints tab set the Session Timeout to 0 In the Settings tab create an IPfilter that drops all traffic

Answer A Explanation Setting NAP Enforcement to allow Limited Access limits the client to the remediation servers you list. If you do not list any remediation servers, clients will be completely denied network access.