Hi everyone, I thought it might be interesting to post an article on the integration System Center has developed with the Windows Server 2008 NAP team. As we head towards February 27th, and Los Angeles for the launch of Windows Server, I thought it might be interesting to detail how NAP works, and how System Center adds value to the core out of the box functionality NAP in Windows Server 2008 delivers.
Today’s increasingly mobile workforce and the need for inter-connectivity present an entirely new set of challenges for IT departments. In addition to ensuring that the desktop computers on the network are up-to-date and meet the company’s requirements for system health, network perimeters must also protect networks from roaming devices that may be vulnerable to security exploits.
Network Access Protection is designed to protect the network by validating System Health when the Client attempts to connect. This set of technologies allows an IT administrator to restrict non compliant devices from accessing network resources. The Network Access Control market is expected to pass the $4 Billion mark in 2008, and with the launch of Windows Server, NAP enters the market with a very strong product. Check out the integration NAP and Windows Server 2008 bring:
|System Center Configuration Manager 2007||Patch management and remediation|
|Forefront Client Services||Integrated AV product with it’s own SHA/SHV for NAP|
|SQL Server 2008||Centralized logging for NPS|
|Terminal Server 2008 Gateway||Integrated support for NAP policy creation and enforcement|
|Windows Vista||Improved IPsec and 802.1x features and management|
|Microsoft Consulting Services||Full end to end setup and deployment|
· NAP clients Computers that support the NAP platform for system health-validated network access or communication.
· NAP enforcement points Computers or network access devices that use NAP or can be used with NAP to require the evaluation of a NAP client’s health state and provide restricted network access or communication. Examples of NAP enforcement points are the following:
· Health Registration Authority (HRA) A computer running Windows Server 2008 and Internet Information Services (IIS) that obtains health certificates from a certification authority (CA) for compliant computers.
· VPN server A computer running Windows Server 2008 and Routing and Remote Access that allows remote access VPN connections to an intranet.
· DHCP server A computer running Windows Server 2008 and the DHCP Server service that provides automatic Internet Protocol version 4 (IPv4) address configuration to intranet DHCP clients.
· Network access devices Ethernet switches or wireless access points that support IEEE 802.1X authentication.
· NAP health policy servers Computers running Windows Server 2008 and the NPS service that store health requirement policies and provide health state validation for NAP. NPS is the replacement for the Internet Authentication Service (IAS), the Remote Authentication Dial-In User Service (RADIUS) server and proxy provided with Windows Server 2003. NPS can also act as an authentication, authorization, and accounting (AAA) server for network access. When acting as a AAA server or NAP health policy server, NPS is typically run on a separate server for centralized configuration of network access and health requirement policies. The NPS service is also run on Windows Server 2008-based NAP enforcement points that do not have a built-in RADIUS client, such as an HRA or DHCP server. However, in these configurations, the NPS service is acting as a RADIUS proxy to exchange RADIUS messages with a NAP health policy server.
· Health requirement servers Computers that provide current system health state for NAP health policy servers. For example, a health requirement server for an antivirus program tracks the latest version of the antivirus signature file.
· Active Directory® Domain Service The Windows directory service that stores account credentials and properties and Group Policy settings. Although not required for health state validation, Active Directory is required for IPsec-protected communications, 802.1X-authenticated connections, and remote access VPN connections.
· Restricted network A separate logical or physical network that contains:
· Remediation servers Computers that contain health update resources that NAP clients can access to remediate their noncompliant state. Examples include antivirus signature distribution servers and software update servers.
· NAP clients with limited access Computers that are placed on the restricted network when they do not comply with health requirement policies.
This is where System Center Configuration Manager helps. There are 2 types of configuration settings that NAP can look for. Out of the box NAP in Server 2008 can look for things like you see in your Control Panel – Security Center Applet – such as Firewall, Automatic Updates, Malware Protection and other security settings. These policy based settings are typically present in the form of Group Policy, or Anti Virus applications. Configuration Manager also uses a site role called a System Health Validator Point, as well as a Software Update Point, to work with Windows Server to scan for update compliance.
Configuration Manager brings a powerful ability to also look for the presence of updates. For example, using the site role called System Health Validator, and the Software Update Management capability of Configuration Manager, NAP enforcement can be used to ensure updates are present on clients. There are primarily 2 types of System Health Agents, those policy based units that Server NAP uses (WSHA), and then there is the Configuration Manager (CMSHA) items – like updates, that Configuration Manager can also look for. Network Access Protection in Configuration Manager is used to define and enforce system health by:
•Validating Corporate Policy at the perimeter
-Validate the health of client systems as defined by corporate security policy
•Place untrusted systems in lockdown area – Quarantine
-Restrict access from protected network regions based on client health state.
•Control system access with Network Restriction
-Provide access to resources allowing clients to correct security policy compliance deficiencies
•Perform Ongoing Compliance with constant perimeter health check
-Automatic enforcement of changes to defined corporate security policies ensuring sustained policy compliance
A typical scenario could be this. Microsoft releases the standard patch Tuesday round of updates, and Woodgrove Bank (our fictitious company we use as an archetype in our demos) brings these into their environment, tests and releases these. Through the release process, these updates can actually be given a window of time where they are made available, both to network clients, (online and WoL) as well as Internet Based Clients (yup we do that now). But, the Woodgrove bank also has a security policy that updates must be enforced, so part of our release of updates could include NAP evaluation after a certain date. So, for example, we make the update available for say 2 weeks, but after that, we will NAP enforce the presence of that update on clients.
So, the final setup would be a patch released, brought into an organization, published to the environment for a window of acceptable time, and then enforced with NAP. This will guarantee that once an update is released, we can verify the presence of that update on clients we manage, before they connect to the network. Pretty powerful stuff!
I have worked with a bunch of guys in both the Server NAP Team (awesome bunch over there) and our own MSIT team (Richard and Greg, rock stars) to build a Virtual Machine demo of how all of this works together. The main reason we built a demo was so we could show the power this solution brings to the IT organization. Why MSIT? Well our own internal IT department in Microsoft is deploying NAP, in fact a few weeks ago the North American region went into production NAP enforcement, so we really are practicing what we preach. These guys are talking from pure experience, both on building the product, and the integration into a production environment. Their knowledge is invaluable, and we have speaking plans for all of us to cover this topic at our next internal training event for our field, as well as Microsoft Management Summit, and TechEd. Look out for the topic to be there, and we hope pretty popular.
I wanted to also show this in action, so here is a video of how this process works. This is a simple 4 machine environment, using a typical scenario where a Vista client is missing a patch and as a result cannot see a protected resource, in this case an intranet HRWeb page. W2K8 and Configuration Manager work together to scan, determine the missing bits, and deliver the fix. The intranet webpage failure then succeeds once compliance is verified. Enjoy!
Sr. Technical Product Manager
System Center Configuration Manager