《微软2007系列一》由会员分享,可在线阅读,更多相关《微软2007系列一(42页珍藏版)》请在金锄头文库上搜索。
1、SVR311,Windows Server Network Policy Server Fundamentals: Implementing NAP,Where did NPS come from?,NPS Architecture,NPS/NAP Configuration Demonstration,Design and Deployment Best Practices,Session Objectives And Agenda,What NAP is and isnt all about,What Is NPS?,Network Policy Server is the success
2、or to Internet Authentication Services (IAS) Provides Policy and Health Verification Only in Windows Server 2008 NPS is the Microsoft implementation of the RADIUS standard and it supports the major RADIUS RFCs,What Is NPS Used For?,NPS provides policy definitions and enforcement; it is not an authen
3、tication source When an access request comes to the NPS it assesses it against its policies, then uses Active Directory to authenticate the user or device,VPN Device,Wired Network,Wireless Network,Dial-Up,Network Policy Server,Simple NPS Authentication Workflow,Policy Rules,Architecture,IAS.xml .,dn
4、ary.xml ,Data Store Server,Data Access,SDO,SDO Helper,Netsh,MMC,Policy Engine,IAS Helper,Radius Server,Dllhost.exe,Process boundary,RW configuration data,Dictionary of NPS attributes,Abstracts XML files to all processes (COM server),Abstracts SDO, simplifying end user interface points,Server Data Ob
5、jects; Implements COM API,Policy Engine,Requests are sent into a processing pipeline composed of various stages Each stage takes the request as an IN/OUT parameter Each stage may return one of the following values: Reject, Accept, or Discard At the end of the pipeline, the request is transformed int
6、o a RADIUS packet and sent back on the network,Policy Processing,IAS Policies are sequential, rule-ordered policies One and only one policy applies to an access request,Policy 1: Healthy,If: Machine is healthy, allow full access Else: Go to next policy,If: Machine is unhealthy, put in restricted net
7、work and push updates Else: Go to next policy,Policy 2: Unhealthy,If: Machine is downlevel, put in restricted network Else: Go to next policy,Policy 3: Downlevel,Default,If: No other policy applies, deny the network access,Network Access Protection,How many of your users?,Try to circumvent your secu
8、rity? Dont care about security? Are willing to place the business at risk? Have absolutely no idea or are ignorant? Use their own home machines to connect to your corporate network? Are network admins and still dont care about security or think they should be exempt Are just plain dangerous.,Users t
9、hinking they know better,Policy,Enforcement,NAP is not a silver bullet,NAP cannot protect the network from malicious users and systems NAP is designed as the health overlay to the network security systems NAP is dependant on its enforcement mechanisms Especially important! IPsec, VPN, 802.1x and DHC
10、P need security assessment and correct design first! Think about the security implications,Health Modeling What do I consider healthy for my network?,Do I have a written and approved health policy? More than a technical discussion different areas and divisions will have different policies. What are
11、the corporate basics? What are the niche policies? Basics: Anti-virus, Patch Control, Personal Firewall, etc. Niche: Specialized OS Config, Application Sets, PKI allotments, etc. Allot the time and resource to assess your corporate risk areas Health control should be a top-down mandate for the enter
12、prise Allot the time to work with divisions and their architects,What can I do to prepare now?,You can take advantage of the time you have to prepare your networks for the new model Build a virtualised test LAN! Deployment preparation tasks: Health Modeling Exemption Analysis Health Policy Zoning Se
13、cure Network Infrastructure Analysis IAS (RADIUS) Deployment Zone Enforcement Selection Rollout Planning and Change Process Control Success Matrices and Measures,NAP - Enforcement Options,Exemption Analysis Who gets a “pass”?,Basic Exemptions will be supplied by default (OS Level and type) Exemption
14、s need to manageable Work up an exemption documentation process - eventually you will want to know where the holes are! Mitigation plans for the exemptions Can we isolate them through other means? IP Segmentation VLAN Control Extranet/Guest Access,SCCM 2007 supporting NAP,Primary Site,Health Registr
15、ation Authority,Network Policy Server : SHV,X,X,DP,Quarantine Restricted Network,Boundary Network,Protected Network,Microsoft Update,MP,AD,Download Updates to Site Server,Publish Health State in Active Directory,Retrieve Health State Policy,Send Statement of Health for Evaluation,Download New Policy
16、,Install Required Updates,Healthy Client,Deploy Updates to DP,Policy Pipeline for NAP,Machine Name Mapping,Machine Account Validation,Network Access Policy,Quarantine Evaluator,Post- Quarantine Evaluator,OUT: NT4-MachineName QuarantineSession QuarCorrelationID Machine-Inventory Not-Quarantine-Capable IN: NT4-MachineName,OUT: Windows- Machine-Groups IN: QuarantineSession,OUT: Machine-Health-Results IN: Windows-Machine-Groups Machine-Health-Result
