To configure the Health Policy option, double-
click the Policies node in the NPS console,
right-click Health Policies, and select New.
In the window that Figure 3 shows, enter the
policy name and select what the System Health
Validator (SHV) component will check.
First, let’s create a policy for compliant
clients. Enter compliant for the policy name,
and select Client passes all SHV checks from the
drop-down menu. Selecting this option means
that, for a client to be considered healthy, it
must pass all the requirements you configured
in SHV (which in the example was only the firewall
requirement). Next, select the
Windows Security Health Validator
check box and click OK. Your first
policy is now configured.
Next, let’s create a policy for noncompliant
computers. Follow the
same steps to create a new health
policy, perhaps called noncompliant.
In the drop-down menu, select Client
fails one or more SHV checks, which
means that if a client fails to correctly
report one or more required components
from SHV,
it will be considered
unhealthy.
Finally, select
the Windows
Security Health
Validator check
box and click
OK.
Create
Network
Policies
for NAP
After you configure
the SHV
and Health Policy options, you can configure
network policies. In the NPS console’s Policies
node, click Network Policies and disable the
default policies. By default, the two default policies
are Connections
to
Microsoft Routing
and Remote
Access Server
and Connections
to other
access servers.
Right-click each
policy and select
Disable from
the drop-down
menu. Then,
right-click the
Network Policies
folder and
select New. A
wizard for creating
a new policy
will start. Enter
a policy name
(e.g., “noncompliant-
restricted” for a policy for unhealthy
clients). Then, select from the drop-down list
the type of network access server that will apply
the policy to clients. The default is Unspecified;
for our purposes, select DHCP Server.
Click Next to proceed to the Conditions
page, and click Add to select conditions for the
policy. From the list of available conditions that
displays, select Health Policies from the Network
Access Protection group. In the window
that opens, select the “noncompliant” health
policy that you created earlier.
Follow the same procedure to add the NAPCapable
condition, which Figure 4 shows, to
the policy. This condition limits application
of the policy only to computers that are NAP
capable.
Click Next to launch the Specify Access
Permission window. In this window, you must
specify what to do with clients that meet the
policy. Although denying access to unhealthy
clients might seem logical, you don’t want
to completely deny access to those clients.
Instead, you should provide them with limited
access only to hosts that can help them improve
their security state (i.e., remediation servers).
Select Access Granted and click Next.
In the Configure Authentication Methods
window, select the Perform machine health
check only option, and clear the other check
boxes, as Figure 5 shows. Because you’re configuring
a policy for checking clients’ security
health state via DHCP and because DHCP clients don’t authenticate to the DHCP server,
you don’t need to configure authentication
methods. Just click Next in the Configure Constraints
window—none of the options apply to
our example.
In the Configure Settings window, select
NAP Enforcement in the Network Access Protection
section, as Figure 6 shows. For this policy,
you should select the Allow limited access
NAP enforcement method. This setting will put
clients in quarantine and give them access only
to remediation servers. You can also configure
those servers from this window: Simply click
Configure to create a
Remediation Server
Group, and enter
IP addresses for the
hosts. Also select the
Enable auto-remediation
of client computers
check box.
Enabling both these
settings causes the
NAP Enforcement
client component
to automatically
attempt to update
the computer security
state (e.g., if you
turn the firewall off,
it will be turned on
automatically).
After you create a
policy for incompliant clients, you must create
a policy for compliant clients. Follow the same
steps to create another new network policy,
this time naming the policy “compliant full.”
On the Conditions page, select the “compliant”
health policy. Then, select the Allow full
network access check box on the NAP Enforcement
Settings tab. All other settings are the
same as for the incompliant client policy.
Finally, you can configure a policy for NAP
non-capable clients, to provide them with or
deny them network access. This policy should
grant or deny access to clients that aren’t
NAP capable, by implementing only the NAPCapable
condition, with the Only computers
that are not NAP-capable option selected.
(Note that this policy isn’t necessary in a test
environment.)
Figure 7 shows the NPS console after you’ve
created the necessary policies. Next, you need
to configure DHCP.
Configure DHCP for NAP
You need to configure DHCP, so that DHCP
can use NPS and the policies you created. First,
you must create a scope on the DHCP server.
Our intention is to configure the DHCP server
to distribute a different group of scope options
to compliant and incompliant NAP clients.
After you create a scope, right-click it in the
DHCP console. Select Properties, and go to the
Network Access Protection tab. Then, select
the Enable for this scope check box, as Figure 8 shows, and use the default NAP profile.
Another thing you can configure from the
Network Access Protection tab in IPv4’s properties
is DHCP behavior, in case DHCP can’t
contact the network policy server. The default
setting is to give clients full access, but you can
also select the Restricted Access or Drop Client
Packet options. In addition, you can enable
and disable NAP on the server level.
Finally, you must configure additional
options for NAP-capable clients. Right-click
Scope Options, and select Configure Options. In the Configure Scope Options
dialog box, select the Advanced tab.
Select Default Network Access Protection
Class as a User class, and
define specific DHCP options for this
class of clients (e.g., different DNS domain name, different gateway).
Register
