NAP Health Policy Server
The
NAP Health Policy Server is the heart of the NAP-supported network
infrastructure. The NAP Health Policy Server runs Windows 2008 Server
and has the NPS server role installed. The NPS server role is
responsible for storing health requirement policies and provides health
state validation for NAP.
Interestingly,
the NPS server role replaces Internet Authentication Service (IAS),
Remote Authentication Dial-In User Service (RADIUS), and proxy server
provided by Windows 2003 Server. So NPS not only supports the NAP
infrastructure but also acts as the authentication, authorization, and
access (AAA) server in Windows 2008 Server. The NPS role can act as the
RADIUS proxy to exchange RADIUS data packets with another NAP health
policy server.
Health Requirement Server
Health
requirement servers contain the data that NAP NPS servers check for
current system health state for NAP NPS servers. Examples of the data
that health requirement servers may provide are the latest virus DAT
information files for third-party antivirus packages or updates for
other software packages that the ISVs use the NAP API to develop.
Restricted Network
A
restricted network is where NAP sends a computer that needs remediation
services or to block access to the private network until remediation
can take place. The restricted network can be a different subnet that
has no routes to the private network or a different logical network in
the form of a virtual local area network (VLAN). A good NAP design
would place remediation servers located within the restricted network.
Placing remediation servers inside the restricted network, enables NAP
clients to get updated and then be allowed access to the private
network.
The
remediation server could be in the form of a Windows 2008 Server or
Windows 2003 Server running Windows Server Update Services (WSUS). WSUS
provides an easy way to update the NAP client system files using
Microsoft Update Services. You could also place virus update files and
other third-party critical update files on the remediation server.
Tip
A
good review on the test date is to go through this book and look over
the diagrams and understand different network designs. Glancing over
these network diagrams is a good refresher right before entering the
testing center.
When
you are working with NAP, one of the best technologies to take
advantage of is working with virtual local area networks. Microsoft
does not go into great detail about how VLANs work, but for any student
or a well-seasoned network administrator, understanding this technology
is vital.
VLANs
are basically multiple networks on the same switch. The switching
management software allows us to take ports from the switch and build
many virtual local area networks. These virtual networks are
independent networks of each other. Newer switches actually allow us to
configure routing between these VLANs. This makes setting up the
restricted network in NAP easy and more efficient. To read more about
VLAN technology, go to this Web address: http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd2023.htm#wp3280.
|
Software Policy Validation
Before
you actually start doing some exercises, it is important to understand
what actually goes on during system-compliant testing and validation.
NPS uses System Health Validators (SHVs) to analyze the compliance of a
client computer. SHVs determine whether a computer is getting full
access to the private network or if it will be isolated to the
restricted network. The client has a piece of software installed called
a System Health Agent (SHA) to monitor its system health. NPS uses SHVs
and SHAs to determine the health of a client computer and to monitor,
enforce, and remediate the client computer.
Built
into Windows Server 2008 and Windows Vista are the Windows Security
Health Agent (WSHA) and Windows Security Health Validator (WSHV). These
agents are used to enforce the most basic compliance settings in a NAP
infrastructure. The settings provided by WSHA and WSHV are:
The client computer has firewall software installed and enabled.
The client computer has antivirus software installed and enabled.
The client computer has current antivirus updates installed.
The client computer has antispyware software installed and enabled.
The client computer has current antispyware updates installed.
Microsoft Update Services is enabled on the client computer.
Even
without third-party SHVs and SHAs, Microsoft has built very powerful
tools into Windows Server 2008, Windows Vista, and Windows XP Service
Pack 3 to validate the compliance and health of computers.