Deploying IPsec Server and Domain Isolation with Windows Server 2008 Group Policy - Part 4

1. Test Health Certificate and configuration Auto-remediation
2. Verify NAP policy enforcement on VISTASP1

1. Confirm that both VISTASP1 and VISTASP1-2 have health certificates (Health Certificate)
2. Enter VISTASP1-2 into the Domain
3. Evaluate Auto-remediation on VISTASP1

1. Open the Run dialog box and enter mmc , then press ENTER.
2. On the File menu, click Add / Remove Snap-in .
3. Click Certificates , click Add and select Computer account , and then click Next .
4. Verify that Local computer: (the computer this console is running on) is selected, click Finish , and then click OK .
5. In the left pane of the console, double-click Certificates (Local Computer) , double-click Personal , and then click Certificates.
6. In the details pane, under Issued By , verify the subordinate CA, msfirewall-WIN2008SRV1-CA , is displayed. Verify that Intended Purposes displays System Health Authentication . Because VISTASP1-2 has not been authenticated against the msfirewall.org domain, the client name will not be displayed under Issued To , and the certificate meaning of Client Authentication does not appear. Verify that the certificate on VISTASP1-2 has Intended Purposes of System Health Authentication . This is a valid NAP health certificate for clients in a workgroup environment. An authenticated domain health certificate is similar to a certificate that achieves the name VISTASP1 .

Deploying IPsec Server and Domain Isolation with Windows Server 2008 Group Policy - Part 4 Picture 4
Figure 1

Deploying IPsec Server and Domain Isolation with Windows Server 2008 Group Policy - Part 4 Picture 5
Figure 2

7. Close Certificates interface

1. On VISTASP1 , open the Run dialog box and enter firewall.cpl , then press ENTER.
2. In the Windows Firewall control panel, click hange settings , click Off (not recommended) , and then click OK .
3. You may see a message in the notification area indicating that the computer does not have enough health requirements. This message is displayed because Windows Firewall is turned off. Click on this message to see more details about the health status of VISTASP1 . See the example below.

4. The NAP client will automatically turn on Windows Firewall to become compliant with the network health requirements. The following message will appear in the notification area: This computer meets the requirements of this network .

5. Because auto-remediation occurs quite quickly, you may not see these messages. To review the NAP notification icon, type napstat at the command prompt, and then press ENTER.

1. Configure Windows SHV to be more restrictive by requiring computers to install antivirus software. When we have not installed any antivirus software on the clients, the clients will not have this requirement.
2. Refresh SoH (health statement) on VISTAP1 . This will cause the client to send a new Statement of Health to the Health Registration Authority and will report that the client does not have consent.
3. Confirm that the client's health certificate is removed. The Health Certificate is removed because the client does not have sufficient consent.
4. Restore health policy to a less restrictive state so that the client can agree. We will remove the required anti-virus software so that the client becomes consensus again.
5. Refreshing SoH on VISTASP1 will display the computer that is currently in agreement with the new policy.
6. Confirm that the client health certificate is restored.

1. On WIN2008SRV1 , click Start , click Run , type nps.msc and press ENTER.
2. In the left pane of the console, open Network Access Protection , and then click System Health Validators .

3. In the details pane, double-click Windows Security Health Validator , and then click Configure .

4. In the Windows Security Health Validator dialog box, under Virus Protection , select the check box next to An antivirus application is on .

5. Click OK and then click OK again to close the Windows Security Health Validator Properties window .
6. To open the NPS interface for the following procedures.

1. On VISTASP1 , click Start , and then click Control Panel .
2. Click Security , click Windows Firewall , and then click Change settings .
3. In the Windows Firewall Settings dialog box, click Off (not recommended) , and then click OK.

4. Windows Firewall is turned back on automatically because auto-remediation is enabled. However, because NAP policies currently require an antivirus application, VISTASP1 will appear in a non- compliant state and will not be able to obtain a health certificate.

1. On VISTASP1 , open the Run dialog box and type mmc , then press ENTER.
2. On the File menu, click Add / Remote Snap-in
3. Click Certificates , click Add , select Computer account , and then click Next
4. Verify that Local computer: (the computer this console is running on) is selected, click Finish , and then click OK .
5. In the console tree, open Certificates (Local Computer) Personal .
6. Verify that no health certificate is present.

7. Leave the Certificates interface open to perform the following procedures.

1. On WIN2008SRV1 , in the left pane of the NAP interface, open Network Access Protection , and then click System Health Validators .
2. Double-click Windows Security Health Validator and click Configure.
3. In the Windows Security Health Validator dialog box, under Virus Protection , clear the check box next to An antivirus application is on .

4. Click OK and then click OK again to close the Windows Security Health Validator Properties window.
5. Close the NPS interface.

1. On VISTASP1 , in the console, the interface tree, click Personal .
2. Right-click on the details panel and then click Refresh . Verify that the health certificate is present.

Deploying IPsec Server and Domain Isolation with Windows Server 2008 Group Policy - Part 4 Picture 14
Figure 11

Deploying IPsec Server and Domain Isolation with Windows Server 2008 Group Policy - Part 4 Picture 15
Figure 12

Conclude

In this series we have provided you with many parts related to NAP IPsec enforcement solutions. As you can see in this article, there are many components in the solution and each of those components must be properly configured to work. Many Windows administrators are concerned about the complexity of NAP with IPsec policy enforcement and therefore have not adopted this powerful and effective security technology. Before performing the test, create a copy of your proof in the testing room before performing this implementation of the production network name.