Enforce NAP on the
Client Side
The last step is to configure the client
to work with NAP. In fact, you
must enforce the use of NAP on
clients. You can accomplish this
task through the NAP Client console,
Group Policy, or Netsh (which has
the new context for NAP configuration).
Because you can’t configure
domain or OU Group Policy Objects
(GPOs) to include NAP settings from Windows
2003, using Group Policy requires you to
edit GPOs from Vista or Server 2008’s Group
Policy Management Console (GPMC). Use the
Administrative Tools’ Services console to start
the Network Access Protection Agent service,
changing this service’s startup type to Automatic
(which you can also use Group Policy to
accomplish).
On Vista, start the Microsoft Management
Console (MMC) and add the NAP Client Configuration
snap-in. Alternatively, select Run
from the Start menu, and enter
napclcfg.msc
Select the Enforcement Clients node in the
left task pane, double-click DHCP Quarantine
Enforcement client on the right side, select
Enable this enforcement client, and click OK.
From now on, the client should be able to
use NAP.
To use Netsh to configure NAP on a client,
go to the command line and enter
Netsh nap client set enforcement ID = 79617
If you want to use XP SP2, you must install the
NAP client software for XP Beta 3, which makes
the OS NAP capable.
Run a NAP Test
To test NAP on a client, configure a Vista client
and join it to your domain. Obtain an IP
address from the DHCP server, with the firewall
in the default active state. Ensure that you
have a regular IP address, from the scope that
you created in earlier steps, with regular scope
options. To verify that you have all the necessary
DHCP information (e.g., DNS servers,
gateway, WINS servers), go to the command
line and enter
ipconfig /all
Figure 9 shows the output.
Next, manually disable the Vista firewall.
In a few seconds, the DHCP enforcement
client will perform autoremediation to correct
the client’s system state, thus reenabling
the firewall. To demonstrate a quarantined
client, go to Server
2008’s NAP console
and configure Windows
Security Health
Validator to require an
antivirus application
to be installed and
updated. If you don’t
have an antivirus
solution on the Vista
client, run ipconfig
/release followed by
ipconfig /renew to
quarantine your client
and receive a taskbar
quarantine notification
message. Run
ipconfig /all again, and note that your computer
is configured with
the options you specified
in DHCP’s Network
Access Protection class.
As Figure 10 shows, all
you have is an IP address
and subnet mask—no
Internet access, and no
access to other hosts on
the network.
An Effective
Solution
Maintaining computers’
health is one of the most
time-consuming challenges
that any network
administrator faces. This
complex task is made even more difficult if
you must maintain system health for users
who connect from home systems, partner
computers and laptops that aren’t under control
of administrators, or computers that aren’t
managed through a corporate patching system
(e.g., Windows Server Update Services—WSUS,
Microsoft Systems Management Server—SMS).
NAP is an effective solution for controlling network
computers’ security health.
Register
