{"id":2785,"date":"2014-10-13T09:07:59","date_gmt":"2014-10-13T14:07:59","guid":{"rendered":"http:\/\/www.poweradmin.com\/blog\/?p=2785"},"modified":"2015-04-24T15:09:03","modified_gmt":"2015-04-24T20:09:03","slug":"configure-network-address-protection-w-dhcp-enforcement","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/configure-network-address-protection-w-dhcp-enforcement\/","title":{"rendered":"Configure Network Address Protection w\/ DHCP Enforcement"},"content":{"rendered":"

\"Network<\/a>In this article I will <\/span>show you how to install and configure NAP<\/i> with Dynamic Host Control Protocol (DHCP)<\/i> enforcement. You may already be familiar with DHCP which is a service used to allocate network parameters automatically and offers a centralized way to manage your network devices. NAP<\/i> is a security mechanism offered by the Network Policy and Access Server Role<\/i> that helps you in managing the health and security of the network. With NAP you can define how computers receive network access based on their System health. <\/span><\/p>\n

By creating benchmarks that define how computers get network access, you protect your network from a potential virus or external security attack. With NAP you can ensure that before computers get network access they have the latest updates installed, the Windows Firewall<\/a> is configured and activated, the antivirus is updated and running and so on.<\/span><\/p>\n

NAP uses System Health Agents<\/i> and Validators<\/i> to check the health of network devices against the criteria configured on the NAP Server. SHV (System Health Validators)<\/i> are used to specify the conditions that a NAP client must meet before network access is granted. SHA (System Health Agent)<\/i> is a component used to check if a certain NAP client meets the requirement configured on SHV. With Windows Server 2008 and newer editions you can configure four types of NAP enforcement: IPSec<\/i>, VPN<\/i>, 801.1X<\/i> and DHCP<\/i> which we will discuss in this article.<\/span><\/p>\n

For this demonstration I will be using a Windows Server 2012 machine that is a<\/span>lready hosting the DHCP service. For testing purposes I recommend always using a Virtual Machine because you can easily rollback to a previous state if any problems<\/span> occur.<\/span><\/p>\n

Login on the machine and open the Server Manager<\/i> console. Now click on Add roles and features <\/i>button and select Network Policy and Access Services<\/i> from the available roles list:<\/span><\/p>\n

\"Select<\/span><\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

O<\/span>nce you\u2019ve selected the Role, proceed to the following section by clicking the Next<\/i> button. Select Network Policy Server<\/i> and click the Install<\/i> button:<\/span><\/p>\n

\"Install<\/span><\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

Wait until the installation is completed and then close the Wizard.<\/span><\/p>\n

\"Add<\/span><\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

From Administrative tools<\/i> o<\/span>pen the DHCP console<\/i> and expand<\/i> the IPv4 section<\/i>. Now right click<\/i> and select New Scope<\/i><\/span><\/p>\n

\"IPv4<\/span><\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

Once the wizard has started, type in a Name<\/i> and Description<\/i> for the new policy and then set the IP Address Range for the scope. I\u2019ll configure the rage to 10.10.10.50 \u2013 10.10.10.100 and set the network mask to \/24 or 255.255.255.0<\/span><\/p>\n

\"New<\/span><\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

We will not configure any exclusions, delays, lease duration or other options for now so please press Next<\/i> three times and then select No<\/i> at I will Configure These Options Later<\/i> panel.<\/span><\/p>\n

Now that our scope is prepared, open the Network Policy Server<\/i> console from Administrative <\/i>Tools and select Configure NAP<\/i> to start the wizard.<\/span><\/p>\n

\"Configure<\/span><\/p>\n

\u00a0<\/p>\n

From the drop down list select Dynamic Host Control Protocol (DHCP)<\/i> and set a name for the NAP policy.<\/span><\/p>\n

\"Set<\/span><\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

For our testing environment we will not be using a RADIUS server so skip this page and proceed with the next section.<\/span><\/p>\n

We\u2019ll need to add our newly created DHCP scope to the NAP<\/i> policy. Click the Add<\/i> button and enter the DHCP<\/i> scope<\/i> name<\/i>.<\/span><\/p>\n

\"Add<\/span><\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

Skip the following two sections and on the Define NAP Health Policy<\/i> page deselect Enable auto-remediation of client computers. <\/i>Windows Security<\/a> Health Validator is selected by default because this is where we define the NAP criteria. All NAP ineligible clients will be denied network access:<\/span><\/p>\n

\"Define<\/span><\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

Our Connection Request Policy<\/i> will be added on the NAP server. You can further configure its options if you right click<\/i> it and select Properties<\/i>.<\/span><\/p>\n

\"NAP<\/span><\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

The Windows Security Health Validator<\/i> can be configured from the Network Access Protection<\/i> section:<\/span><\/p>\n

\"Windows<\/span><\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

You should now have a DHCP NAP enabled server capable of granting or rejecting clients based on the settings specified in the SHV. As you can see, NAP can be installed and configured pretty easily and should provide you an extra security layer within the network. We can also configure Remediation Server Groups <\/i>which can be capable of delivering the latest updates to rejected clients. If you think that there are other things that should be mentioned here, don\u2019t hesitate to use our comments section. Wish you a great day folks!<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

In this article I will show you how to install and configure NAP with Dynamic Host Control Protocol (DHCP) enforcement. You may already be familiar with DHCP which is a service used to allocate network parameters automatically and offers a centralized way to manage your network devices. NAP is a security mechanism offered by the […]<\/p>\n","protected":false},"author":4,"featured_media":2801,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,5,13,9,8],"tags":[],"class_list":["post-2785","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general-it","category-how-to","category-pc-security","category-technical","category-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/2785","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=2785"}],"version-history":[{"count":5,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/2785\/revisions"}],"predecessor-version":[{"id":3456,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/2785\/revisions\/3456"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/2801"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=2785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=2785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=2785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}