Configuring NAP Health Policies
NAP
Health Policies are a combination of settings for health determination
and enforcement of infrastructure compliance. Health requirement
policies on the NAP health policy server determine whether a NAP client
is compliant or noncompliant, how to treat noncompliant NAP clients and
whether they should automatically remediate their health state, and how
to treat clients that are not NAP capable for different NAP enforcement
methods. The following settings make up the NAP Health Policies:
All the NAP Health Policies are configured within the Network Policy Server console, as shown in Figure 9.
Interestingly, Microsoft recommends starting with the Configure NAP
Wizard to build your initial settings for your NAP installation. To
access the Configure NAP Wizard, click the NPS (LOCAL) node of the configuration tree and then click Configure NAP under the Standard Configuration in the right window. In Figure 9, we can see where you can access the Configure NAP Wizard within the Network Policy Server console.
Tip
A
couple of hours before your exam go through the Network Policy Server
console and click on the different icons in the tree. Also, right-click
the icons and select properties. Go through the tabs paying attention
to where different settings reside. This tip is good for any exam, and
we would highly recommend it. Remember, on multiple choice questions
there are four possibilities. One will obviously be wrong, two will be
plausible, and one answer will be the correct Microsoft answer!
Connection Request Policies
As
we discussed earlier, NPS replaces IAS in Windows Server 2003. NPS
handles all RADIUS activities in Windows 2008 Server—RADIUS can be
configured to handle
the authentication and logging locally. Also, RADIUS in Windows 2008
can be configured as a RADIUS proxy and forward all authentication
request to another RADIUS server.
Connection
Request Policies are a set of rules that can be processed in a set
order. Connection Request Policies determine whether RADIUS request
should be processed locally or forward the requests to another RADIUS
server. Connection Request Policies are configured and ordered in the
NPC console under the Policies node (see Figure 10).
When the NPS server is configured for NAP health compliance and
enforcement, the local server is acting as a RADIUS server locally.
Network Policies
Network
Policies either deny or grant access to network connection attempts.
These policies, like Connection Request Policies, are an ordered group
of rules. For each rule, there are a set of conditions, constraints, an
access permission that either grants or denies access and network
policy settings. For NAP, network policies specify the conditions to
check for health requirements and, for computers that are not capable
of NAP—the enforcement behavior.
When
setting the Network Policies, you have four options for NAP Enforcement
settings—these settings specify the type of network access the client
will have. The four options include (also see Figure 11):
Allow full network access
Allow full network access for a limited time
Enable auto-remediation of client computers