Network Access Protection

NPA (Network Access Protection)
After we have successfully installed NPS (Network Policy Services) we are able to deploy NPA (Network Access Protection). This will further enhance our VPN connections (or even LAN connections if we wanted too).

What is NPA, in a nutshell, it’s a system to enforce certain rules on a PC that is connected to our network. For instance NPA will allow an administrator to enforce that all PC’s have auto update switched on, or even that it is fully patched, before such a PC is allowed full access to the network, if it doesn’t comply with this policy, it is either revoked access, or allowed limited access to certain services, so that it can actually be repaired. In this case, if the PC doesn’t have auto update switched on, it could then be switched on automatically, or if it is not fully patched, we would allow access to a WSUS server, so that it actually can be patched to the level required by the policy. As soon as it has met the requirements, full access is restored. The servers or services are that are used to “repair” a client are called remediation services.


There are a few components that together achieve such a thing, at the heart of all of it, is the NPS (Network Policy server). Here you define the policies, and the actions that need to performed if a PC doesn’t meet this policy. On the Client side there is the NPA client, which is configurable either manually or via group policy. Then there are the network components, like DHCP server, switches, Wireless access points, that play a role in revoking or restricting network access.
NPA can be implemented using the following methods:

DHCP. This method relies on the DHCP server, if the client doesn’t meet the policy, the DHCP server will remove the default gateway, so that communication with other devices is not possible (except for the remediation services) Of course this doesn’t cover PC’s which are configured to have a fixed IP address, this is the clear weakness of this method.

IEEE 802.1X wired and wireless. This methods works together with a 802.1X wired switch or 802.1X wireless access point. (they need to be NPA compliant), here network access is restricted by using the physical layer.

VPN. This is the method that will be explained in this post.

IPSEC with HRA, this is the most difficult method to implement, as it will not restrict access, rather it will ignore computers that are non NAP compliant or non NAP capable.

We are going to implement Network Access Protection for our VPN connection, then we will configure the client and finally test our NPA policy.

Before we are going to set up the policies there are several things we need to consider. Before we make these considerations, let’s just discuss some of the terminology used by NAP:

NAP Compliant

When a computer (or network device) is considered NAP compliant, it means that it complies to the policy.

NAP Non Compliant

The opposite of NAP Compliant, we need to consider what to do with such a system, do we restrict access, do we repair this non compliance

NAP Capable

A computer (or network device) is considered NAP capable, if it has a NAP client loaded and ready, so that we can asses our policy and act accordingly.

NAP Non Capable

A computer (or network device) is considered NAP non capable if it doesn’t have a NAP client loaded, this is the most important consideration, as we cannot repair such devices. In our VPN example, these would be PC’s that don’t have a NAP client. Either because we didn’t load one, or because the client is running on an operating system, where we cannot load a NAP client. For instance, currently only Windows XP SP3 and Windows Vista (and Server 2008) do have a NAP client available. So in our case, if we have a Windows 2000 laptop, using VPN, then of course we need to consider how to deal with such a system. Computers running certain Linux distributions, OSX systems. Now of course for some of these operating systems, there might be NAP clients either commercially available or part of the OS, but we need to consider such systems.

Now if a computer is NAP Non Compliant, are we going to provide services to repair such computers, (remediation services). Think of WSUS for auto updates, think of servers that can update virus definitions, like Mcafee’s EPO for instance.

To make this work, we need two parts, one is the client setup part, which we will do using group policy, but I will also show the manual client setup, as the client I will be using to test this, is not part of the domain. The second part is the setup of the policies, which is done using NPS.

Let’s get started, first we need to define a group, this group will contain all computers that we wish to include into NAP. Typically in our case, they would contain all the client computers that use VPN, so that we can deploy the needed client settings on the computer, these settings are:

NAP agent is started automatically
NAP Agent enforcement clients, we must ensure that we enable the remote access quarantine client.
We need to turn on Security Center (this service, is disabled by default when you join a computer to a domain.
Finally we need to filter the group policy to apply to computers, not users.

So let’s go to server manager, features and group policy manager, browse to the testcompany.nl domain and right click, select create new GPO and link it here.



The next screen will allow you to name the group policy, I entered NAP Client settings, then press ok.

Select the GPO we just created, right mouse and select edit. Now we can edit the group policy. First we make sure the NAP agent is started automatically (it acts as a service). We go to computer configuration, policies, windows settings, security settings, system services, double click network access protection agent, and tick define this policy and set the service startup mode to automatic. Next step is to enable the remote access quarantine service, go to Computer configuration, policies, windows settings, security settings, network access protection, NAP client configuration, and enforcement clients, double click the remote access quarantine enforcement client and set it to enabled. Right click NAP client configuration and select apply. Finally we need to set the security center to enabled for domain computers, this can be done by going to computer configuration, policies, administrative templates, windows components, security center (domain PC’s only) and set the property to enabled.

Now we need to create a group inside active directory to apply this policy to, so create a group in active directory and computers, and add computers that you want to deploy this group policy to. (My client computer is not part of this domain, so we need to enable these settings manually later on in this post). I have called my group, NAP clients, so back in group policy management, select the NAP client settings policy, and under security filtering, remove authenticated users and add the group NAP clients.



Now domain joined computers will receive the correct settings for NAP to work.

Now we are ready to configure the NPS server to enable NAP. Go to the server manager, roles, network policies and access services, NPS (local), or use administrative tools, Network Policy services. We are going to take this the easy way and run a wizard. Click on configure NAP, this will startup the wizard that we are using to setup NAP. Select Virtual Private Network as Network connection method and change the policy name if needed and press next.



In the next screen that appears just press next, we don’t need radius clients (NPS servers) as we run a local NPS server.

The next screen give us the possibility to specify machine or user groups to which we want to grant access, this will also override the allow dial in property in active directory. In this case, we don’t add groups and just press next.

The next screen let us select the certificate that is going to be used by the NPS server, This is the certificate that is used if you select verify server certificate in the client, it’s not necessarily the same certificate as used by our SSTP VPN server. I left it at the suggested certificate, further you have to select the authentication method here, select smart card or other certificate as our EAP type.

The next screen will enable us to configure NAP remediation server group, in this group you would include your WSUS server (for patch management) and maybe an EPO server (if you use Mcafee as your virus scanner), so that if a computer is not Nap compliant, it can be repaired using the computers (ip addresses or DNS names) that are included in this group.



To add a new group, press the new group button, name the group, to add servers, click on add, enter a friendly name (like WSUS server) and the relevant IP address or DNS hostname. Add as many as needed, press ok next to go to the next screen of the wizard.



The following screen allows us to select the system health validator that is going to be used (the default Windows security health validator is already selected, after this wizard is finished we are going to configure it to suit our needs). We also enable the auto remediation of client computers option, which is selected by default, and finally we can select what to do with Nap ineligible client computers (I don’t know why they come up with a different naming here, but they are referring to NAP non capable computers (see earlier in this post). We leave it at the default value for now. Press next, and we are presented with a summary of the choices we have made, press finish to end the wizard.

The wizard has created the following policies for us (which we can edit if needed)

Connection request policies: NAP VPN
Network Policies: NAP VPN Compliant, NAP VPN Noncompliant and NAP VPN Non NAP Capable.
Health Policies: NAP VPN Compliant and NAP VPN Noncompliant.

The connection request policy defines the authentication methods, which groups are allowed.

The Network policies define what access will be granted based upon the three conditions, NAP Compliant, NAP non compliant and NAP Non NAP capable.

The Health policies define the compliance of NAP, If you look at the health policy, you will see that a computer is considered NAP VPN compliant, if it passes all checks configured in the SHV (Security Health Validator), it is considered NAP VPN non compliant if it fails one or more of the SHV checks. The SHV used is also selected, we still need to configure the SHV, we do this soon.


Expanding further in the NPS tree, we can find our system health validator or and the remediation server group that the wizard created.




Let’s configure the SHV, in the NPS tree, go to System Health Validators and double click the Windows security health validator.

Click on configure and we will get to the screen where we actually configure the Windows Security Health Validator, this is where we will set the requirements that a client PC has to meet, before it is considered healthy or NAP compliant.



You can required a firewall to be enabled, require an anti virus application that is also up to date, the same for anti spyware and require that automatic updating is enabled. In addition you can also require that certain security updates are installed by selecting the level of security updates that at least need to be installed, like critical or Important and above, and other levels.

I just leave the defaults. This is all we have to configure on the server side.

As already mentioned, our client computer isn’t part of our testcompany.nl domain, therefore it cannot take advantage of the group policy settings that we have made earlier. No worries, you can also setup the NAP client using other utilities. For vista and server 2008 we use the mmc napclcfg.msc to configure the client. For XP, you need to use netsh to setup the nap client.

On both vista/server 2008 and XP you need to set the Network access protection agent service to startup automatically by using services.msc, locate the service and set it to start automatically and start it. Then you need to do the same for the security center service.

You also need to enable the security center by running gpedit.msc, and go to computer configuration, administrative templates, windows components, security center and enable the security center.

In XP only, you need to run cmd and enter netsh nap client set enforcement id = 79618 admin = ‘enable’ where the id 79618 is the Remote access quarantine enforcement client.

In Vista or Server 2008 we can do this by running napclcfg.msc. Go to enforcement clients and enable the Remote Access Quarantine enforcement client.



We are now ready to test the connection. We can use the same connection as we previously used in the SSTP posts. Depending on the client status, the connection should work. Refer to the SSTP posts regarding the properties of the connection.



Now we are going to disable the firewall, and we should actually see something happening. Or not If everything was configured correctly (and it was in my case), the minute I disabled the firewall, it was re-enabled straight away. This is because I have set the auto remediation to enabled, this not only means that virus definitions are updated, or updates are installed using the remediation servers, but also that settings like firewall, are automatically being fixed. The agent would simply re-enable the firewall. Now to actually see that network access has been denied, I disabled the virus scanner on my test PC. I am using Mcafee virusscan on this PC, and as I write this, the agent isn’t able to restart it for me. (the Mcafee EPO server that I have running will actually do that for me in this case). But I just needed a way to show you the warning message that NAP will show.



We see the security center’s red cross (virus scanner is stopped) and next to it we see the nap client’s notification icon + the notification that this computer doesn’t meet the requirements of this network. At this point and until the virus scanner has been re-enabled, I would not be able to reach any computer, except for the computers that are included in the remediation group. Also note the exclamation mark in the network icon, the NPS server has clearly limited our vpn connection. If you double click on the NAP icon, you would get the following screen:



Windows also notifies us that it cannot enable this third party antivirus product. Of course it can re-enable the firewall as we have noticed before.

If we would enable the antivirus application ourselves we would see the following:



Now or client again complies with the requirements so full network access is restored, note the network icon, now shows no exclamation mark. If you double click the nap icon, you get a more detailed description:



This concludes this post.

In my next post I will explain about the logging options that are available for NPS.

Out of the box, there is text logging, but I will also explain how to log to an SQL server, so that you can enquire the log using MS. Access, which is a better way then using the text files that come by default.