27 Jan 2011

Network Access Protection (Part 5)

The process for creating authorization policies.

In the previous article in this series, I showed you how to configure a system health validator so that Windows will check to see if clients requesting access to the network have the Windows firewall enabled. I then showed you how to create system health validator templates that define what it means to be in and out of compliance with the network health policy.

In this article, I will continue the discussion by showing you how to create health authorization policies. Health authorization policies are the policies that control what happens if a client is compliant with the network health policy, or what will happen if the system that is requesting network access is found to be non compliant. It is these policies that determine what level of access, if any, the client will receive to the network.

Begin the process by opening the Network Policy Server console if it isn't already open and selecting the console's Authorization Policies container. Upon doing so, take a look at the Details pane to see if any authorization policies currently exist. On my test system, there are four previously existing authorization policies, but who knows whether or not those policies will exist in the final version of Longhorn Server. If any policies do exist, delete them by right clicking on them and selecting the Delete command from the resulting shortcut menu.

Now that you have cleared out the previously existing policies, you can create a new authorization policy. To do so, right click on the Authorization Policy container and select the New | Custom commands from the resulting shortcut menus. Windows will now display the New Authorization Policy Properties sheet.

The first thing that you will have to do is to assign a name to the policy. Let's call this policy Compliant-Full-Access. You can enter the policy's name into the Policy Name field, found on the properties sheet's Overview tab. Now, set the policy type option to Grant Access, as shown in Figure A. Setting the policy type to Grant Access does not grant users full access to the network. All it means is that requests coming into this policy are approved for further processing.


Figure A: Set the Policy Type to Grant Access

Now, select the properties sheet's Conditions tab. As the name implies, the Conditions tab allows you to set the conditions that a client computer must meet in order for the policy to be applied. Scroll through the list of available conditions to Network Access Protection, and then select the SHV Templates option located beneath it. When you do, the details pane will display the Existing Templates drop down list. Choose Compliant from the drop down list and click the Add button. The Conditions used in this Policy window will now indicate that Computer Health matches "Compliant", as shown in Figure B. This means that in order to be considered compliant, client computers must match the criteria defined in the Compliant policy that you created in a previous part of this article series. More specifically, it means that client computers must have the Windows firewall enabled.


Figure B: In order to be compliant, client computers must meet the requirements defined in the Compliant policy that you created in a previous part of this article series

Now, select the properties sheet's Settings tab. The Settings tab contains a variety of settings that can be applied to computers meeting the conditions that you defined earlier. Since this is a policy that will be applied to computers that are compliant with the network security policy, we need to remove any restrictions from the Settings so that compliant computers can gain access to the network.

To do so, navigate through the console tree to Network Access Protection | NAP Enforcement. Now, select the Do Not Enforce radio button, as shown in Figure C. This prevents compliant computers from being restricted from accessing network resources.


Figure C: NAP enforcement should not be applied to compliant computers

After you select the Do Not Enforce option, navigate through the console tree to Constraints | Authentication Method. The details pane should now display a series of check boxes, each corresponding to a different authentication method. Go ahead and uncheck all of the check boxes, but check the EAP check box. Click the EAP Methods check box and then click the Add button. Select the Secured Password (EAP-MSCHAP v2) option and click OK twice to close the various dialog boxes that have opened. Click OK once more to save the template that you have created.

So far we have created a template for compliant computers, now we have to create a similar template for computers that are not compliant. To do so, right click on the console tree's Authorization Policies container and select the New | Custom commands from the resulting shortcut menus. This will cause Windows to reveal the now familiar New Authorization Policy Properties sheet.

As was the case before, the first thing that you must do is to enter a name for the new policy that you are creating. Let's call this policy Noncompliant-Restricted. Even though we are creating a restricted policy, you must still set the policy type to Grant Access. Remember that this does not grant access to the network, but rather allows further processing of the policy.

Now, select the Conditions tab. When we created the authorization policy for compliant computers, we created a condition which required the computer to comply with the compliant template that we had created in a previous part of this article series. Since this policy is for non compliant computers though, you must check to see if the client computer's configuration matches the conditions defined in the NonCompliant template. Specifically, this means checking to make sure that the Windows firewall is not enabled.

Scroll through the list of available conditions to Network Access Protection and then select the SHV Templates container. Select the NonCompliant option from the list of existing templates, and then click the Add button.

Next, select the Settings tab and navigate through the console tree to Constraints | Authentication Method. The details pane should now display a series of check boxes, each corresponding to a different authentication method. Go ahead and uncheck all of the check boxes, but check the EAP check box. Click the EAP Methods check box and then click the Add button. Select the Secured Password (EAP-MSCHAP v2) option and click OK twice to close the various dialog boxes that have open.

So far everything that we have done to the policy for non compliant computers has been identical to what we did to the policy for compliant computers aside from specifying a different SHV template. If we left this policy the way that it is, then non compliant computers could end up gaining network access. Since we don't want for that to happen, we need to use NAP enforcement to prevent network access.

To do so, select the NAP Enforcement container found in the list of Available Settings. When you do, the Details pane will display various enforcement options. Select the Enforce option, and then select the Update Non Compliant Computers Automatically check box, as shown in Figure D. Click OK to save the policy that you have created.


Figure D: You must enforce NAP protection for non compliant computers


No comments:

Post a Comment