Troubleshooting Network Access Protection

I just setup a lab environment to test several of the following NAP enforcement features:

  • IPSec Connection Security
  • 802.1x Access Point
  • VPN Server
  • DHCP Server

The first NAP enforcement feature I configured was for DHCP.  It is the least complicated and easiest scenario to test.  I’ve also used as a guideline the following Microsoft white paer Step by Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab .  My original setup included the following:


  • Server2008
  • Domain Controller
  • NPS
  • DHCP


  • Member Server joined to domain
  • DHCP Client

The issue I encountered was that SRV1 was unable to get an IP address from the DHCP server.  If I turned off NAP on the DHCP server either at the IPv4 or Scope level then SRV1 was able to obtain an address.  After doing some testing I was able to get it to work but only changing the “Error Code Resolution” features in the Windows Security Health Validator to the following:

SVH unable to contact required services – Noncompliant

SHA unable to contact required services – Noncompliant

SHA not resonding to NAP client – Compliant

SHV not responding – Noncompliannt

Vendor specific error code received – Noncompliant

The issue I discovered is that Server2008 doesn’t have a Security Health Agent.  The SHA also depends on the Windows Security Center, which isn’t included in Server2008 either.  Only after chaning the “SHA not responding to NAP client” setting to “Compiant” was SRV1 able to receive an address via DHCP. 

After discovering the issue with SHA on Server2008 I did some research and found the following posting “Include Security Center and Windows SHA on Server 2008” on the Microsoft Technet forum for NAP.


Network Access Protection (NAP)

One of the new security services being offered Windows Server 2008 is called Network Access Protection.  NAP requires that clients (Vista SP1, XP SP3, Server 2008) to complete a health check of thier system which is then submitted to a NAP server.  NAP then compares the results with some preconfigured System Health Validators and based on the results the NAP server will place the client onto one of the following networks:

  • Private Network:  Client meets all required SHV’s
  • Remediation Network: Segmented network used to remediate any current health issues
  • No Network Connectivity

Here is a list of the current acronyms being used when discussing NAP:

  • NPS = Network Policy Server (the NAP server)
  • SHA = System Health Agent (client-side NAP plug-in)
  • SHV = System Health Validator (server-side NAP plug-in)
  • SoH = Statement of Health (created by the  client)  
  • SSoH = System Statement of Health  (sent by client, combination of several SoH’s)
  • SoHR = System of Health Response (response from server to SS0H)

There are also several different enforcement types:

  • IPSec Connection Security
  • 802.1x Access Point
  • VPN Server
  • DHCP Server

Here is the list of the default Windows Security Health Validators which are used to evaluate the current health of the client machine. 

  • Windows Firewall
  • Antivirus (additonal: updated virus definitions)
  • Spyware Protection (additional: updated spyware definitions)
  • Automatic Updating
  • Security Update Protection (additional: Important, Moderate, Low, WSUS or Windows Updates)i

NAP can also be extended and centralized using the following Microsoft products:

  • System Center Configuration Manager 2007
  • Forefront Security Security



Windows 2003 Security Guide

Most of the exercises done by the students only accomplish to reveal a setting here and there within Group Policy Objects or the local policy.  I would like however to provide a more comprehensive look at security and in order to so will be using a variety of methods and tools to accomplish this.  The following are my currently defined objectives:

  • Define baseline security measures

  • Define and create role specific templates

  • Apply all security templates using GPO’s

  • Implement authentication & encryption at the Network layer using IPSec

  • Configure any manual changes as required to improve security

After doing some research I’ve decided to follow the “Windows 2003 Security Guide”. The guide is broken into 13 chapters and covers both baseline and server specific roles using GPO’s and the Security Configuration Wizard that is available with Sever2003 SP1.   In additional, IPSec will also be configured to provide an extra layer of protection for IP packets.  IPSec not only acts as a packet filtering firewall but can be configured to require either Authentication and\or Encrpytion for all IP packet. Authentication is provided using Message Hash Authentication Code (MD5 or SHA1) and Encryption using either DES or 3DES.

The primary server roles that are discussed in the guide include:

  • Domain controllers that include DNS services

  • File\Print Servers

  • Web Servers

  • Microsoft Internet Authentication Server (IAS) servers

  • Certificate Services (CA) servers

  • Bastion Hosts

I’ve also chosen to use the Enterprise Client Member Server Baseline.inf security policy provided by the guide. Also, in order to assist in determing which ports are required for server specific roles I will reference the “Network Ports Requirements for Server 2003”

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: