Health Policies
Health
Policies check the client for compliance via the system health
validators (SHVs). If you recall from earlier in this chapter, we
discussed Windows Security Health Validator (WSHV). These SHVs are the
ones provided with Windows 2008 Server, Windows Vista or Windows XP
Service Pack 3. Other SHVs can be created by independent software
vendors (ISVs) via the application programming interface provided by
Microsoft. By default, the WSHV is always listed in the health policies.
In
this short exercise, we are going to create a Health Policy on NPS1
server. Pay close attention to all of the options available to you in
the exercise.
1. | Click Start, click Run, type nps.msc, and then press Enter.
| 2. | In the Network Policy Server console tree, click Policies.
| 3. | In the details pane, under Health Policies, click Configure Health Policies.
| 4. | Right-click the Health Policies node and click New.
| 5. | For the Policy Name enter CONTOSO Policy 1.
| 6. | In the Client SHV checks drop down menu select Client fails one or more SHV checks.
| 7. | Make sure under SHVs used in this health policy that Windows Security Health Validator is Checked. See Figure .12.
| 8. | Click OK.
| 9. | Close the NPS console.
|
|
Network Access Protection Settings
Network Access Protection (NAP) settings consist of two components. The components that make up NAP settings include:
System
Health Validators (SHVs) specify the configuration of installed SHVs
for health requirements and error conditions. By default, Windows
Server 2008, Windows Vista, and Windows XP Service Pack 3 include the
Window Security Health Validator (WSHV).
Remediation
Server Groups specifies the set of servers that are accessible to
computers that are not NAP compliant with limited network access. If
you recall Figure 1, these servers would be located on the restricted network.
In
this exercise, we are going to create a remediation server group on
server NPS1 to allow computers that are not compliant with the NAP
infrastructure to get updated. We will point the clients to DC1 to get
updates—in a real NAP infrastructure environment, we would never point
to an Active Directory Domain Server as a remediation server.
1. | Click Start, click Run, type nps.msc, and then press Enter.
| 2. | In the Network Policy Server console tree, click Network Access Protection.
| 3. | In the details pane, under Network Access Protection, click Configure Remediation Server Groups.
| 4. | Right-click the Remediation Server Groups node and click New.
| 5. | Click Add.
| 6. | For the Friendly name enter CONTOSO Remediation Server Group.
| 7. | For the IP address or DNS name enter 172.16.0.10 (DC1). See Figure 13.
| 8. | Click OK twice.
| 9. | Close the NPS console.
|
|