11 Mar 2014

Remote Network Access: Enabling Network Access Protection

As we progress to the end of our configuration for enabling our clients to participate in a health validation process, we will now reconfigure the NPS policies we originally established for our SSTP connections, and enable them to require NAP details. In addition, we will add additional policies to address scenarios where the clients are unable to participate in the NAP process, or fail their checks. Then we will move to the clients, and using a GPO configure the OS to enable the Network Access Protection (NAP) service, and define which HRA the clients will be communicating with.

Network Policy Server (NPS): Configure Connection Request Policies

Once we start this process we are essentially breaking the SSTP implementation as I have chosen to edit the existing polices and add additional. You may, of course, decide to add these polices as new entries and therefore continue to support both normal SSTP and NAP SSTP, but ultimately once we are finished this set of steps, we can address both scenarios. We are also well configured to address direct access with NAP when we are ready.

To begin with, I am changing our existing SSTP access connection policy so that it now will enforce the NAP protection. We will also modify the name of the policy to a more generic label.

    Launch the Network Policy Server console and expand the Policies branch.
    Click the Connection Request Policies node and select our existing SSTP Access policy.
    Right-click on the SSTP access policy, and from the context menu select Properties.
    On the Overview page, in the Policy Name field change the name to NAP VPN Access.
    On the Settings page, select the Authentication Methods option. In the EAP Types area, select the option Microsoft: Protected EAP (PEAP) and click Edit.
    In the Configure Protected EAP Properties dialog, check the box for Enforce Network Access Protection, then click OK.
    Click OK.

Update the Original Configure the Network Policy for SSTP

    Launch the Network Policy Server console and expand the policies branch.
    Click the Network Policies node and select our existing SSTP access policy.
    Right-click the original policy we created called SSTP Access to present its properties.
    On the Overview page, in the Policy Name field, update the name to VPN NAP Compliant.
    On the Conditions page, click the Add… button.
    From the Select condition list, select the option Health Policies and click Add…
    In the new Health Policies dialog, select the policy we created earlier (NAP Compliant Client) from the Health Policies drop-down, then click OK.
    On the Settings page, select the settings group NAP Enforcement.
    Set the enforcement option to Allow full network access.
    Select the option Enable the Auto remediation of client computers.
    Review the settings and click OK.

Clone VPN NAP Compliant Policy for Non-Compliant Clients

With our NAP compliant policy now configured we can clone this policy and apply the necessary changes to create a new VPN NAP Non-Compliant policy.
  • While still in the Network Policy Server console, in the Policies > Network Policies branch, right-click the policy we just completed called VPN NAP Compliant. From the context menu select Duplicate Policy.
  • Right-click the new clone called Copy of VPN NAP Compliant and from the context menu select Properties.
  • On the Overview page: In the Policy Name field, update the name to VPN NAP Non-Compliant and check Policy Enabled.
  • On the Conditions page, select Health Policies in the Select condition list.
  • Right-click the Health Policies and select Edit. Then, in the new Health Policies dialog, select the policy we created earlier (NAP Non-Compliant Client) from the Health Policies drop-down. Click OK.
  • On the Settings page, select the settings group NAP Enforcement.
  • Set the enforcement option to Allow Limited access.
  • In the Remediation Servers Group and Troubleshooting URL area, click Configure.
  • In the Remediation Servers Group and Troubleshooting URL dialog, for the Remediation Server Group drop-down select the NAP Remediation Services group we created earlier. In the Troubleshooting URL field, enter the URL of a site available to the client, which is also listed in the NAP Remediation Services list. Click OK.
  • Select Enable the Auto remediation of client computers.
  • Review the settings and click OK.
Clone VPN NAP-Compliant Policy for Non-Capable Clients

We now have two network policies defined that will cover both our healthy and unhealthy NAP clients. But we have one more scenario to cover: clients that are not NAP-capable. This would include Windows computers that have not been configured to enable their NAP services, possibly due to exclusions on a GPO target, or devices like phones and tablets that do not have a NAP agent available. For this scenario you will need to determine how you wish to address these. For example, will you grant them access to just the remediation services? And if so, will that offer any real value, or do you simply deny them access?

Continuing with our example, I am going to proceed with the latter and deny devices which are not NAP-capable access. To do this, I will again clone our NAP-compliant policy and apply the necessary changes to create a new VPN NAP Not-Capable policy.
  • While still in the Network Policy Server console, in the Policies > Network Policies branch, right-click the policy called VPN NAP Compliant and from the context menu select Duplicate Policy.
  • Right-click the new clone called Copy of VPN NAP Compliant and from the context menu select Properties.
  • On the Overview page: In the Policy Name field, update the name to VPN NAP Not-Capable.
  • Check the option Policy Enabled.
  • Enable the option Deny access if the connection request matches this policy.
  • On the Conditions page, in the Select condition list select the option Health Policies then click Remove.
  • Click Add…, then from the Select condition list select NAP-Capable Computers and click Add.
  • In the NAP-Capable Computers dialog, select Only computers that are not NAP-Capable and click OK.
  • On the Settings page, select the settings group NAP Enforcement. Set the enforcement option to Allow Limited access.
  • In the Remediation Servers Group and Troubleshooting URL area, click Configure.
  • In the Remediation Servers Group and Troubleshooting URL dialog, select the NAP Remediation Services group we created earlier. In the Troubleshooting URL field, enter the URL of a site available to clients that is also listed in the NAP Remediation Services list. Click OK.
  • Select Enable the Auto remediation of client computers.
  • Review the settings and click OK
Group Policy Object: Client Network Access Protection Services

In order for our clients to participate in the NAP health check, we require that they will be running two services. Using a Group Policy we can configure these to auto start and also define additional settings that we require to be configured on our clients so that they can correctly communicate with the NAP Services. The services which we will configure to auto-start on our clients are:

  • Network Access Protection Agent
  • Security Center

The following procedure will guide us through the steps required to define all the options necessary in a policy to be targeted to our workstations.
  • Launch the Group Policy Management console and navigate the tree through Forest > Domains > Domain Name.
  • Right-click on your domain name, e.g. Diginerve.Net, and from the context menu select Create a GPO in this domain, and Link it here.
  • On the New GPO dialog, enter a suitable name for our policy in the Name field, such as Network Access Protection. Click OK.
  • Locate your newly created GPO in the tree and right-click it. From the context menu select Edit. The Group Policy Management Editor will be presented.
  • Use the Tree and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
  • In the details pane right-click Network Access Protection Agent and select Properties from the context menu.
  • In the Network Access Protection Agent dialog check the box for Define this policy setting and set the Select service startup mode to Automatic. Click OK.
  • Use the tree and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Network Access Protection > NAP Client Configuration > Enforcement Clients.
  • In the details pane, right-click EAP Quarantine Enforcement Client and select Enable from the context menu.
  • Use the tree and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Network Access Protection > NAP Client Configuration > Health Registration Settings > Trusted Server Groups.
  • Right-click the node Trusted Server Groups and select New from the context Menu to launch the New Trusted Server Group Wizard.
  • On the Group Name page, enter NAP Health Registration Authorities then click Next.
  • On the Add Servers page, in the Add URLs of the health registration authority that you want the client to trust field, enter the URL to our configured HRA (for example, https://pdc-ad-nps01.diginerve.net/domainhra/hcsrvext.dll) then click Add. Click Next.
  • On the Completing the new trusted server group wizard page, review the configuration, and then click Finish.
  • Use the tree and navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Security Center.
  • In the details pane right-click Turn on Security Center (Domain PCs Only) and select Edit from the context menu.
  • In the Turn on Security Center (Domain PCs Only) dialog, select the option Enabled then click OK.
Client: Enabling the VPN Profile to Support NAP

Next we will apply the changes necessary to enable the VPN profile which we configured earlier for pure SSTP to now also participate in the NAP configuration.
  • Re-launch the Network and Sharing Center from the left actions list. Select the option Change adapter settings.
  • In the list of presented adaptors, locate and right-click your newly created profile (however you named it in the Destination name field of the wizard). From the context menu select the option Properties.
  • In the Properties dialog, select Security.
  • In the Authentication area, click Properties to display the Protected EAP Properties dialog.
  • Enable Enforce Network Access Protection.
  • Click OK to Close the Connection Properties dialog.
Validation

Once again we are at the stage where we can now test our configurations and verify if the solution works as planned. You must double-check that your new GPO settings have indeed been applied to your workstation. The command I use for this check is NETSH NAP CLIENT SHOW GROUP, which should respond with the list of configurations which we defined earlier in our group policy.

Remote Network Access: Enable Network Access Protection

Now, all that is left is to dial the VPN connection again, and see if the servers will indeed let us connect.

In my case I do get a connection. But because I am using a relatively clean workstation I do not actually have any anti-virus software installed, which the NAP system quickly detects, and forces me into a Quarantine state. Additionally, the software cannot auto-remediate this for me and instead presents a dialog explaining the problem.

Remote Network Access: Enable Network Access Protection

Clicking on More Information in this dialog will open the web page we defined in the NPS Network policy, in this case the active policy is VPN NAP Non-Compliant, and the URL can be located in the NAP Enforcement section under the Remediation Servers and Troubleshooting URL configuration. At this location, you should offer some guidance to the users on how to resolve their issues and provide links to download any necessary software.

In my environment I have hosted a simple webpage on the WSUS server, offering the user the quick and easy ability to download the anti-virus client. After the user downloads and starts the installation, the NAP agent will still not change the client from restricted mode until the software updates with current definitions.

The moment the definitions are in place, the NAP client will detect this change and will revalidate the health statement. Assuming all the checks have now been addressed, the computer will change to compliant status and remove the restrictions.

No comments:

Post a Comment