Windows Server 2008 NAP (Part 5)

by Marin Franković on 18 January, 2009

… continued from part 4

Configuring NPS as NAP health policy server (do this on SRV computer):

  • Start NPS console
  • Expand Network Access Protection and click System Health Validators
  • Double click on Windows Health Security Validator
  • Clear all check marks except A firewall is enabled for all network connections
  • Click OK two times

?

Lets configure health policies:

  • Expand Policies
  • Create new policy and name it Compliant
  • Under Client SHV checks select Client passes all SHV checks
  • Under SHVs usedin this healt policy select Windows Security Health Validator
  • Crete New policy and name it NonCompliant
  • Under Client SHV checks select Client?fails?on or more SHV checks
  • Under SHVs usedin this healt policy select Windows Security Health Validator

?

?

Now we have to create network policies for complaint computers:

  • Expand Policies
  • Click Network Policies
  • Disable two default policies
  • Create new policy named Compliant-Full-Access
  • In Specify Conditions click Add
  • In Select Condition, double click?Health Policies
  • Under Health policies select Compliant
  • In the Specify Access Permisions verify that Access granted is selected
  • In the Configure Settings click NAP Enforcement, verify Allow Full Network Access is selected
  • Click Finish

?

Now we have to create network policies for non complaint computers:

  • Create new policy named NonCompliant-Restricted
  • In Specify Conditions click Add
  • In Select Condition, double click?Health Policies
  • Under Health policies select NonCompliant
  • In the Specify Access Permisions verify that Access granted is selected
  • In the Configure Settings click NAP Enforcement, select Allow Limited Access, select Enable auto-remediation of client computers
  • In the Configure Settings click IP Filters
  • Under IPv4 cteate ne input filter for Destination Network with following values: IP address is 10.10.0.10 (this shoult be IP Address of DC computer)?and subnet mask is 255.255.255.255
  • Click OK to close Add IP Filter dialog box and select Permit only the packets listed below in the inbound filter dialog box
  • Create new outbound IP filter with the following source network values: IP address 10.10.0.10 and subnet mask is 255.255.255.255.
  • Click OK to close Add IP Filter dialog box and select Permit only the packets listed below in the outbound filter dialog box
  • Click Finish

?

Next time we will configure connection request policies

{ 0 comments… add one now }

Leave a Reply

Previous post:

Next post: